I understand why a well established service such as Microsoft's Hotmail (or Outlook) would prevent passwords that are too short, but why limiting password length on the opposite side?

I am switching management of my passwords to a password manager that I set up to generate random passwords 18 characters long with all the possible special symbols. As an example:


That is a good process, because by changing your old passwords you learn about all the security holes in your previously used services.

So when I was changing my Hotmail account password I got this message:

Your password can't be longer than 16 characters.


What a dumb statement! Are they using something like DES encryption or a similar broken block cipher? Can someone explain this limitation to me?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.