<p>Passwords, unfortunately, still are the main authentication mechanism on most Web sites, including all of the popular webmail services, such as Hotmail, Gmail and Yahoo Mail. Many sites encourage users to pick complex and long passwords, so it's surprising to see that Microsoft now has limited Hotmail passwords to no more than 16 characters. Even more surprising, however, is that Hotmail will accept the first 16 characters of an existing, longer password, indicating that the company may have been storing users' passwords in plaintext.</p><p>It's not clear when Microsoft made the change to limit the number of characters allowed in the passwords for Hotmail accounts. But security researchers who looked at the new requirement found the change odd, to say the least. Sixteen characters is a somewhat arbitrary limit, but the more interesting bit is why Microsoft chose to make the change at all.</p><p>The real question, however, is what the implications of the change are. As Costin Raiu, head of Kaspersky Lab's GReAT research team, wrote in an analysis of the issue, one possibility is that Microsoft has been truncating longer passwords to 16 characters all along and then hashing those first 16 characters. The other possibility is somewhat more troubling.</p><p>"My previous password has been around 30 chars in size and now, it doesn't work anymore. However, I could login by typing just the first 16 chars," he wrote.</p><p><a href="http://threatpost.com/en_us/blogs/hotmail-limits-passwords-16-characters-092112">Keep reading...</a></p><p>Read also:</p><p><a href="http://thenextweb.com/microsoft/2012/09/21/this-ridiculous-microsoft-longer-accepts-long-passwords-shortens/">Microsoft no longer accepts long passwords, shortens them for you</a> (The Next Web)</p><p>Explore: <a href="http://news.google.com/news/more?pz=1&ned=us&ncl=dCGhzyEVUESkvXMD2_wxgV4Qhu4SM">2 additional articles.</a></p>