A quick look at security features on Microsoft's new Outlook.com email service

With the launch of Microsoft's Outlook.com, many have been questioning security features of the new email service. The most dominant topic is the limit of 16 characters for passwords. This is a limitation that was also present in Hotmail / Live and has been brought forward into its successor (due to Microsoft's login system). We'll take a look at this issue as well as a quick overview of additional security measures Microsoft has implemented to keep your emails safe.

Password character limitations

A counter question would be do you honestly need more than 16 characters? It's an argument that could span a number of pages in a forum thread or accumulate a hundred or so comments on this article. One side could -- of course -- argue that using as many characters as possible is more secure due to the creation of more possible combinations.

On the other hand, the password "123456789101112131415" is less secure than "3%84Dji8u&L8D", so it's more about how consumers create their account passwords. Using a random generator (or simply having some fun with random combinations in Notepad if you have the time) is always recommended - of course you should always note down what you've decided on. It's amusing to hear / read about company security holes due to employee passwords, "Admin" being the best example. It's certainly not rocket science.

Microsoft has responded to concerns about the 16 character limit, should you be interested to read an official response:

"We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market. It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like '123456' not due to a lack of complexity."

That being said, we can't see an issue with the 16 character limitation. It shouldn't worry consumers when using the service. LinkedIn is a superb example of how security can go horribly wrong. Check out the following Rapid7 infographic (click for larger version) on the most popular passwords that were reportedly already cracked prior to the account passwords being stolen. You'll be surprised by what made the list.

LinkedIn Infographic

While we can understand the concern for the limitation and that those who are security obsessive would prefer to have a high amount of characters in passwords, it's not the end of the world should you ensure they're randomly generated with a sufficient combination of alphanumeric (and special) characters.

Single-use codes for masking account credentials

Microsoft has also implemented single-use codes for logging into Outlook.com when on a public computer or other devices where the user may be at risk of having their passwords detected. The single-use code enables Microsoft to text a passcode to the user's mobile phone (email and phone number required when attempting to login), which negates the need for the account password.

The single-use code (as the name implies) can only be used once and is invalid once the user has successfully logged in. It's good to have extra protection in place for Outlook.com users to be able to access their email on computers / devices in public places.

Two-factor authentication and no targeted advertising

One of the major reasons Microsoft provides to attract Gmail users is the company will not be reading emails to provide targeted and relevant advertising using its network of publishers - remember the Gmail man? This ensures user data is kept private. While advertising is present on main folder view pages, its in the form of general adverts that will be displayed to everyone.

Microsoft has also responded to a question on Reddit inquiring about two-factor authentication in its global login system:

"Over the last 6 months we have rolled out two-factor authentication in several systems that use Microsoft account. For example, you need to use two-factor auth to buy stuff on xbox.com, to remotely fetch files from other computers on SkyDrive and more. We are learning a lot from this and have more in the works. We see two-factor auth as being an increasingly important piece of our protection suite."

What we can all take away from this is that Microsoft is working hard on further tightening security in its products and backend services. We can expect to see more information and updates applied to enhance protection already implemented. All-in-all, rather good stuff.

Let us know your thoughts in the comments, do you believe Microsoft is doing enough to secure your data in the cloud?

Rich Edmonds
Senior Editor, PC Build

Rich Edmonds is Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He's been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him over on Twitter at @RichEdmonds.

  • I don't really agree with that statement about which password is easier to crack. The entropy increases when a password has more characters. The brute force engine hacking this password doesn't really have information about which characters were used... so it'll scan all of them. Having "111111" (6 chars) as your password is, in theory, a lot more difficult to crack than "!@#" (3 chars).
    Just a thought 
  • And there it is: "in theory" not in practice.
  • I would love to see empirical data about this. Seriously, I'm really interested to know stats and relationships between how "difficult" a password is and its hacking success rate.
  • You would not need empirical data if you knew how password hacking is done. Why do you think most sites that measure the strength of your password complain when you use plain words or simple numbers regardless of their length?
  • Of course you need empirical data. Who said it's not all just one big assumption? Who said that a password like "jessielikestoplayguitarandintheeveningheeatsbananas" is a commonly used password? This type of password will be a lot easier to remember.... more than @JessiE#1987! for sure. Show me data supporting your assumption and I'll change my mind. Until then, I'm not really convinced.
  • I've read data that says passphrases like that are good enough because of their length, but if you want to be safest with a passphrase, it probably makes sense to use a sentence with spaces, capital letters, and punctuation included.  Of course, with the way lots of crackers use hash tables now, that might not be accurate anymore anyway.
  • Most brute force attacks begin with a list of the most common passwords, phrases, and combinations. As such, the example in the article is true in a case where an experienced person/group/govt. Is behind the attack
  • i know it's too late, but just want to get this off my chest
    in our security course we had to do some hacking (danm project...) so this is why 6char number is far too weak compared to !@# chars
    this is how brute force hacking usually goes
    1 - known pwd combination first
    2 - brute force numbers second
    3 - brute force dictionary words
    4 - phrased
    5 - everything else
    and when comparing numbers and symbols you are looking at 10 number (0~9) versus 32 symbols ( minus the ones not allowed) now just to be clear, there is a reason why most passwords have a minimum requirement of at least 6 or more (some are 4 or more, but 4 is actually alittle too weak) so going by conventional minimum requirement (adding 3 to your numeric just for the sake of the conversation) 10^9 vs 32^6 would be 1,000,000,000 vs 1,073,741,824, and this is not considering some of the sorting techniques that can be used to crack the code faster (unless u happen to be the very last number for those techniques to work...)
  • I Trust Microsoft more than Google
  • It really has come to that, hasn't it? While I agree, it's not Microsoft or Google who's generally stealing account info.
  • ME too
  • As I use Lastpass I try to use the most complex password possible, for this site for example I have a 30 char password and for several sites I have a 250 char password just for the fun of it.
    as long as it is sufficiently complex 16 chars are ok but it would be better with 2 factor authentication which is why I will keep everything (I have 200GB on the old plan pricing which is the cheapest ever) with Google.  Their openness and willingness to listen to critiques in all their endeavours make me trust them a lot more than the secritive ways of Redmont or Cupertino.
  • Really? With them selling your info to third parties? That's just asking for your information to be hacked whether you have a 16 or 250 character password. Everytime you login, they know it. If they know it, then hackers may soon know it too.
    You must change your passwords like diapers.
  • what he said^
  • With Google, reading between the lines is required at all times. They start by taking every liberty and then giving back where they must after a critique. We,as PEOPLE (not "users") want the opposite!
  • Most password cracking is not brute force but rather using hash tables, so a complex 8 character password is more secure than 12345678910111213141516
  • No amount of security can protect against blunt human stupidity.
  • Are we really making a deal of this? Almost all sites have password requirements of 8-16 characters
  • I hear some people use the Konami code as passwords.
  • upupdowndownleftrightleftrightbastart Not bad, lol
  • Me too. I change mine often and keep it diverse. They are hacked for a reason. Big point is at least our emails aren't scanned!!
  • This is the same limitation as hotmail because outlook.com is hotmail.
    This is just a new skin on an existing service.
    It's sad to see people writing about outlook.com like it's a new service, but I guess it serves Microsoft's purpose of rebranding hotmail.
    All the so called new features on outlook.com were already there, people just didn't use hotmail enough to realize it.
    at least Paul Thurrott mentions that when he writes about outlook.com, Rich Edmonds seems te be clueless
  • Ever heard of the phrase "Don't shoot the messenger"?
  • Hotmail had the secure code login? I don't think I ever saw that.
  • I find the "Help us make sure you're not a robot" characters very difficult to decipher. Especially lower and upper case. I had so many wrong attempts that it would not allow me any more, had to wait for a fair while to reattempt. I don't have this problem on other sites. Wish they’d fix this
  • Or you can just you know register
  • Did you know those are generally case-insensitive?
    But I agree, I really hate captcha... It's especially annoying when it tells you your username/password is wrong but it was actually the captcha code :(
  • All passwords should have the following:
    At LEAST: 1 capital letter, 1 lower case letter, 1 number, 1 special character, minimum length of 8 characters.
    Cannot have: repeating characters or numbers.
    This is the standard I have always used and I have not an account compromised that I'm aware of.
    You can test your password at many sites.  These are good ones!
  • My password to my bank account is "admin". Noone has hacked it for many years now. Therefore, that article is not 100% valid. FYI, I've already updated it. Lol!
  • Hackers don't think like humans. They think like robots using patterns to crack passwords. It always works for me simple human-like passwords that give hackers 0% success rate. Mind you, I work in a software company and I a technical person myself.
  • A mathematical example of what some people have been saying in the comments:
  • Is brute forcing really a concern here? I don't see how anyone could brute force a password to an online service, at least one that is sanely implemented. I would think they have some kind of limit on login attempts over time to prevent brute force attacks.
    Nitpicking about password length limits seems silly when a lot of people are using passwords like the list above. Just keep your pc free of malware, don't fall for phishing attempts, and don't use a ridiculous password (like the ones in the list above). That should protect anyone from about 99.9% of all hacking attempts.