25 July 2015

Microsoft security still lives in 1998.

Whether we like them or not, our passwords are the last roadblock to a hacker accessing our information. So, here is how you can keep your information safe:
  • Use dual layer authentication with every provider that offers it.
  • Use a unique password for every single site and have a reputable password manager track them.
  • Do not choose a password that can be easily guessed by someone who knows you or knows where you reside.
  • You can ignore special characters and upper/lower case, if the site will permit you because studies have shown that the length of your password is what slows down a hacker.
  • Feel free to use combinations of words or phrases to get the password length up there.
  • For important web sites (Google, Microsoft, Apple, Facebook, PayPal, banks) use a password over 14 characters long - ideally nearly 20.

Do all of these things and odds are that you will not have an account hacked. Unless we are talking about your Microsoft Live password, of course, because the folks in Redmond love to remind us that their security measures are still a step more ancient than everyone else. This is particularly troubling because most of us use our Microsoft Live password as our login to our Windows desktops and tablets, too.

It is not all storm clouds in the Seattle area. They did recently start offering dual layer authentication, which I highly recommend. One particularly negative part of the process is that I had to wait 6 weeks with limited access to my Microsoft Live account while they made the change. I have no idea why since other companies (ahem - Google) can make this adjustment in seconds. But - I still recommend it, despite the delays.

Even with text verification in place, it is still possible for someone who steals your phone to access your account if they can figure out your password. Until we all start putting RFID chips under our skin, the number one security measure is to use passwords that are at least 14 characters in length. Which is why I continue to be in shock that since Microsoft merged Windows logins with Microsoft Live accounts that they have a secret limit to password size of 16 characters. The information I store in OneDrive is worth my typical 20 character length and so every few months I go back to see if I can increase the size of my password. No such luck.

Password length should be unlimited. If someone wants to use a 500 character password then let them do it - they will have the most secure Microsoft account anywhere. The time it takes to break a password that is 10 characters (meets your requirements) is as little as 40 seconds. If you require at least 14 characters it would take 8 thousand years and 18 characters would require 3 billion years.

Please, Microsoft ... Get this bug fixed.