n_K Posted November 12, 2012 Share Posted November 12, 2012 I ask because when I sign in using an account I give as a 'spam this email' with an inheritly rubbish password I am greeted with a page displaying; "Your password is too easy to guess Your current password is on a list of passwords that hackers frequently try to use. Create a new one to help keep your account secure." So either it's stored unencrypted, or reverse-encrypted or it's a one-way hash and they've got a list of hashes that are easy to guess? Anyone know which it is? Link to comment Share on other sites More sharing options...
+Heartripper Subscriber¹ Posted November 12, 2012 Subscriber¹ Share Posted November 12, 2012 maybe the password strenght level has been stored upon registration before the encryption. I hope they do not store passwords in plain text :/ Link to comment Share on other sites More sharing options...
+Majesticmerc MVC Posted November 12, 2012 MVC Share Posted November 12, 2012 If I were to guess, I'd say it was a list of hashes, or list of plaintext passwords scrubbed from obvious attacks. I doubt Microsoft would store Hotmail passwords in plaintext or reversable encryption. If they did I'd expect to see "this is your password" emails instead of "reset your password" emails. Link to comment Share on other sites More sharing options...
Shane Nokes Posted November 12, 2012 Share Posted November 12, 2012 There are specific passwords that are simple to guess...that make an easy to decrypt hash. They are warning you on the basis of that fact. Even if it's an account you don't use for anything other than spam it's still wise to protect it, just in case of any other links. You'd be surprised just how little information someone needs to make a link between things and go after master accounts and such. Link to comment Share on other sites More sharing options...
vcfan Posted November 12, 2012 Share Posted November 12, 2012 whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same. Skin and xfx 2 Share Link to comment Share on other sites More sharing options...
n_K Posted November 12, 2012 Author Share Posted November 12, 2012 It's a spam account in that it's got nothing on it at all, doesn't even have email access. It wouldn't store the password security on registered, it's a pretty old account from before they had the strength indicator :p. I wouldn't think they'd use plain text or reversible encryption but I am starting to worry that they do, even if they stored it in plain text, they wouldn't allow you to see the password and would still require you reset the password. "whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same." Do you work for microsoft, can you say you've seen the database scheme to comment like you know exactly how their database is setup ? Link to comment Share on other sites More sharing options...
Skin Posted November 12, 2012 Share Posted November 12, 2012 whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same. Probably this. I wager it is a simple look up to see what matches to common hashed items that they gleaned from hacker attempts, and also just basic common passwords that everyone and their brother use). Best method to confirm would contact the Hotmail team/devs and look into it. Link to comment Share on other sites More sharing options...
Shane Nokes Posted November 12, 2012 Share Posted November 12, 2012 It's a spam account in that it's got nothing on it at all, doesn't even have email access. It wouldn't store the password security on registered, it's a pretty old account from before they had the strength indicator :p. I wouldn't think they'd use plain text or reversible encryption but I am starting to worry that they do, even if they stored it in plain text, they wouldn't allow you to see the password and would still require you reset the password. "whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same." Do you work for microsoft, can you say you've seen the database scheme to comment like you know exactly how their database is setup ? vcfan has not, unless I am mistaken. However I have...I worked on a team that was directly responsible for the monitoring and safety of Xbox LIVE so I have more than a little experience in this matter. I cannot comment on specifics (of course for security reasons), but there's no need to worry about the level of security employed here. Just don't use an easy password...that's the point of that message. Easy passwords can be guessed without any sort of skill really required. Link to comment Share on other sites More sharing options...
n_K Posted November 12, 2012 Author Share Posted November 12, 2012 Alright okay Shane, thanks for the info.! :) Link to comment Share on other sites More sharing options...
Shane Nokes Posted November 12, 2012 Share Posted November 12, 2012 Alright okay Shane, thanks for the info.! :) No problem. :) Link to comment Share on other sites More sharing options...
Xoligy Posted November 12, 2012 Share Posted November 12, 2012 They store them as a plain text file trust me ive seen it, i know your passwords! lol =P Nah as said they will have a list of common passwords encrypted however they encrypt there passwords, they will then probably do a match up when you change your password and give you a warning if it matches one of the encrypted ones on there list. Shouldnt be anything to worry about, but if you are then just make it harder symbols and numbers are always nice. Link to comment Share on other sites More sharing options...
cybertimber2008 Posted November 13, 2012 Share Posted November 13, 2012 whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same. But if you throw in salt, even the same password would not generate the same hash... because of the salt.And I would hope they store salted passwords :-/ Link to comment Share on other sites More sharing options...
+Xinok Subscriber² Posted November 13, 2012 Subscriber² Share Posted November 13, 2012 I would expect that they use salted hashes, which would mean you couldn't compare it against a pre-calculated list of encrypted hashes either. More likely, the server tries to *guess* your password from a list of common passwords, meaning it would have to generate a salted hash for each password and compare it to the salted hash of your password. But for a small list of common passwords (100-1000), this would only take a fraction of a second to test for each account registration / password change. Link to comment Share on other sites More sharing options...
primexx Posted November 13, 2012 Share Posted November 13, 2012 they could also do it client-side Link to comment Share on other sites More sharing options...
n_K Posted November 13, 2012 Author Share Posted November 13, 2012 they could also do it client-side It's not client side, when logging in to msn over SSL, a 302 redirect takes you to the 'weak password' page. Link to comment Share on other sites More sharing options...
DaveLegg Developer Posted November 13, 2012 Developer Share Posted November 13, 2012 Bear in mind that as you said, you just logged in. As part of the logging in process, you provided an unencrypted version of your password. It would be easy as part of the login process for them to check that against a stored list of weak passwords, and forward you on to a page warning you of its weakness, no need to be able to decrypt the stored password to do that. Link to comment Share on other sites More sharing options...
Haggis Veteran Posted November 13, 2012 Veteran Share Posted November 13, 2012 Maybe i am just being dumb here but when you type in a username it automatically check to see if thats available using ajax/jquery for example whats stopping it doing the same for passwords before its encrypted? Link to comment Share on other sites More sharing options...
GreenMartian Posted November 13, 2012 Share Posted November 13, 2012 Another "maybe I am dumb" question here.. Isn't it the case that when you create a password, that it would be transmitted unhashed anyway? (plaintext - over SSL of course!) So the server receives it as plaintext and can easily do text comparison to a list of unsecure passwords? Then when it saves it, it would salt+hash the password. When you login, it would do the same thing - transmit plaintext, then the server hashes it and compares it with the stored hash? Link to comment Share on other sites More sharing options...
n_K Posted November 13, 2012 Author Share Posted November 13, 2012 Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day :p Link to comment Share on other sites More sharing options...
+Majesticmerc MVC Posted November 13, 2012 MVC Share Posted November 13, 2012 Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day :p Well they're using HTTPS so it's technically still secure... Right? Link to comment Share on other sites More sharing options...
n_K Posted November 13, 2012 Author Share Posted November 13, 2012 Well they're using HTTPS so it's technically still secure... Right? Yep it's all secured over HTTPS but the password isn't MD5'd before it's sent so it can check if your password is weak or not. Link to comment Share on other sites More sharing options...
Recommended Posts