

Microsoft Outlook (hotmail) doesn't hash passwords? - legatou
http://imgur.com/A5NYKdh

======
orlandoseo
They probably de-crypted the original password and rehashed the actual first
16 characters updaing the HASHed version of the password compare. It's not
uncommon to have the HASH and an encrypted version of the password.

~~~
legatou
If they have the decryption keys, that's the same as storing the password in
plaintext. I don't know how common it is, but I know it's insecure.

------
legatou
I must admit, as a software dev I'm quite distressed that this is what I was
prompted with when I tried to login to my email today.

~~~
27182818284
From that warning message there, I don't know how you determined that they
aren't hashing. You might have to spoon-feed it to me. I feel like they are
just looking out for whatever legacy systems that will stroke if you pass more
than 16 char to them?

~~~
legatou
In order to validate that my 16-char truncated password is correct, they would
have to have my password stored somewhere.

Standard security practice is to store ONLY the hash of a password, and never
the password text.

~~~
27182818284
I don't get that from the message though. To me it seems like they do a len()
on the input box before it would ever be hashed or stored or anything like
that on the server.

