Which suggests to me that MS stores plaintext passwords. Because a hash function doesn’t care about the length of what it’s hashing, the output will always be the same length, so they could verify a 300 character password with the same storage space as a 3 character password.
What’s stored is hash(password). Then the password check is stored == hash(entered).
Hash(x) will be the same length, regardless of what x is. What that length is depends on which hash function it is. So the database can set the length of its storage for each user’s password to the length of the hash and the hash function will take any size password.
What’s the point of a long password on Windows? I understand that sometimes you don’t want people accessing your stuff, but all it takes to bypass that and someone access your files is booting off of a USB stick. Or do you perhaps use full disk encryption?
Most people are more worried about remote attackers than someone physically putting hands on their PC. But, yes, you should pretty much without exception be using full disk encryption.
It’s very assholish of Microsoft to lock bitlocker behind the Pro license.
It’s mostly my penchant for longer passwords in general. I did not plan to swap up strategies for my personal PC login account. Seeing microsoft demand a shorter password than I use almost everywhere else was… not promising.
I use that command partially because Microsoft accounts don’t allow passwords as long as the password I like to use for my PC
are you a horse battery staple wizard
Basically. It’s essentially a full-on sentence and last time I looked, Microsoft allowed about half the character length.
Well, at least they aren’t pretending to accept longer passwords but actually truncating it, like they used to in hotmail and live.
They were silently truncating the passwords to something like the first 16 characters, the rest was ignored.
Which suggests to me that MS stores plaintext passwords. Because a hash function doesn’t care about the length of what it’s hashing, the output will always be the same length, so they could verify a 300 character password with the same storage space as a 3 character password.
Not how it works. You don’t attempt to guess the hashed password, you guess a password which then is hashed
What’s stored is hash(password). Then the password check is stored == hash(entered).
Hash(x) will be the same length, regardless of what x is. What that length is depends on which hash function it is. So the database can set the length of its storage for each user’s password to the length of the hash and the hash function will take any size password.
Genuine question:
What’s the point of a long password on Windows? I understand that sometimes you don’t want people accessing your stuff, but all it takes to bypass that and someone access your files is booting off of a USB stick. Or do you perhaps use full disk encryption?
Most people are more worried about remote attackers than someone physically putting hands on their PC. But, yes, you should pretty much without exception be using full disk encryption.
It’s very assholish of Microsoft to lock bitlocker behind the Pro license.
It’s mostly my penchant for longer passwords in general. I did not plan to swap up strategies for my personal PC login account. Seeing microsoft demand a shorter password than I use almost everywhere else was… not promising.