Since my first article about a financial institution’s policy on password length I’ve encountered a couple of examples. All of which were not really worse than the one I had mentioned before but today I was happily signing up for Microsoft’s new online services offering and was prompted to change my password (n.b. I was in the trial). I whip out my Keypass, make an entry and get presented with the following:
Why oh why would you ever put a maximum length on the password field? Even if the database size is a concern (really?) would it make sense to bump the limit to something much longer like 100 or 200 characters. Even the default security setting for KeyPass (which I’m sure many people use) is longer than 16 characters.
I may be Microsoft-friendly and it won’t keep me from using the service, but come on Microsoft. Ask the guys who wrote the (ludicrously long) method: HashPasswordForStoringInConfigFile
Tales from the travelling tech founder 
I hate this restriction. I hate it with a vengeance and shout out loud everytime it forces me to type in a new password and won’t accept what I type in. I cannot have as safe a password as I’d like, I cannot build the password the way I want so I can have a safe and easily remembered password. It’s one of the dumbest restrictions in anything software I’ve come across. It’s downright retarded.
This does seem a stupid restriction. It is not present if you use ADFS (which is a pain) or DirSync/AADSync (relatively painless).
Yes, but the universe of Microsoft logins is completely broken in my opinion anyway. Have you encountered the “Would you like to use this email as your organisational account or live account?” question.