I recently read an article on the The New Web in which they describe how Hotmail is limiting passwords to 16 characters. Now, this contradicts best practices, and is a policy that tips the “convenance vs. security scale” grossly in favor of convenance (or the attempt of it). In a world that is trending towards allowing pass phrases (i.e. Simple), this policy is misguided at best.
Read the full article here.