> Besides, 16 character long password can have 2.8 nonillion possible combinations. You are more likely to reuse your passwords and got owned through that than password brute forcing.
That's a terrible excuse for a 16-character limit. Just admit it was a bad decision (probably made a long time ago) and move on.
The stupid part is this[1]: Passwords cannot contain spaces or "non-English" characters.
1: http://help.outlook.com/en-gb/140/cc540536.aspx
Edit: The double stupid here is the fact that non-ASCII is referred to as "non-English". I'm pretty sure e.g. résumé is a correct English spelling.
The comment you're quoting specifically asserts that it does not represent the company:
> (I work at Microsoft) but my opinion does not represent that of my company.
For the record, I also work for Microsoft, and my comments also do not represent the company.
And people with passwords bigger than 16 chars are a corner case. HN has had top stories telling programmers not to care about corner cases or to assign a very low priority to them.
In my opinion: "Nothing to see here, move along".
I agree it sounds weird especially since I guess everything is done on top of .NET and JS. Neither of which is likely to suffer from buffer overflows nor would whatever protocols they use have problems transporting large strings with non-ASCII chars. And I don't any other technical problems that might cause.
But there has to be a reason. I guess it's possible someone was overzealous or screwed up. Maybe it was because it would be too hard to type it on an Xbox? Doesn't sound very plausible though.
I doubt that MS is doing password hashing wrong - it's not hard to begin with and they probably learned their lesson from the NT days when they implemented p.hashing poorly and it led to the NT passwords being easy to brute force.
That's because HN focuses on startups. Startups have extremely little time, money and resources. Microsoft has over 94,000 headcount.
Microsoft has extremely different expectations from startups. In fact, knowing just about anything about Microsoft's decades of history, you'd know just how much attention they pay to corner cases when it comes to backwards compatibility.
Another example: do startups spend much time preparing support for 50 different languages, including RTL, before a product release? Should Microsoft?
Advice you see on HN doesn't represent anything more than the current hip advice for startups. Certainly not how a multibillion dollar international corporation should design products.
But Apple is a multibillion dollar international corporation (more billions than MS) and they still famously cut corner cases.
If you go into every corner case, you'll never ship and I don't really think it's that practical/easy to keep adding people to a project to fix every corner case.
There's been more than one situation in which they ignored more than just corner cases in backwards compatibility: Windows Mobile -> WP7 -> WP8 and Internet Explorer come to mind. I don't know many examples but that might be because the only MS product I've actually owned in recent times was an XBox 360 (which went RRoD 2 yrs ago).
Also strictly speaking this isn't about backward compatibility, from the comments I've read here, you can still have the same windows password you had before. The password restrictions only apply to their online service (Live account or whatever they are calling it).
That said, major portions of what's new Windows 8 require a windows live account to use (the app store, most of the metro apps, etc).
So it's a 2 step flow.
Granted, that'll probably be the majority. Anyone know if non-MS accounts have this limitation?
EDIT: Nope, see http://news.ycombinator.com/item?id=4389204
