Interesting post by Kaspersky's Costin Raiu on the disconnect between best practice in passwords and current practice for at least one prominent destination.
Raiu advises users to build passwords that:
* include both uppercase and lowercase chars
* include at least one space character
* include numbers
* include several symbols such as !@#
* are not based on a known word
* are at least 12 chars in size, but the longer the better
He then goes on to talk about getting a message from Hotmail, telling him that his password is too long - that Hotmail limits passwords to 16 characters. After discussing the implications of this message, Raiu concludes that "since its inception, Hotmail was silently using only the first 16 chars of the password." A link from one of the comments to
Microsoft.com shows that this is indeed the case.
As intrusions become more common, the authors of these intrusions become better-armed and more skilled, and (as a result of both points) security becomes more complex, it will be important for all sites to keep pace with best practices. Clearly, this is more of a challenge for sites with millions of users than for start-ups - but it's not less important!
Tip of the cap to Kaspersky's Nicole Capulla for the link to the Raiu post.
