

Ask HN: Is hotmail.com/outlook.com storing passwords in clear text? - xriddle

When you have to reset or change your hotmail/outlook password you can not use a previous password or a variation of it. I can understand not using the exact same password and checking it against a previously stored hash, but how can they know a various of my pass without storing it in clear text? Example if I user QWERTASDFG as my pass they will not allow QWERTASDFG!@#$% as my reset pass? The hash for these 2 passes would be completely  different so how do they pull this off.
======
simonhughes22
This is not rocket science. They probably store it encrypted, and decrypt in
RAM when they need to validate things like that. It's not the first company to
have this restriction. I know some companies that prevent parts of day names
in the password, for example.

~~~
Jeremy1026
"I know some companies that prevent parts of day names in the password, for
example."

That is a little different. Its one thing to check against a list of
restricted words common to everyone and a list of previous passwords used by a
single user.

~~~
simonhughes22
That is true.

~~~
xriddle
Yeah checking against a dictionary is one thing, but I've never used anything
remotely close to a dictionary word and they can still detect partial password
matches.

------
croikle
They could hash substrings or variations of the new password and check against
the original hash. Further, I guess they could be storing hashes of several
modified passwords, but that seems unlikely.

