Jump to content



Photo

Does hotmail store passwords in plain text?

hotmail plain text password

  • Please log in to reply
20 replies to this topic

#16 DaveLegg

DaveLegg

    Coderator at heart

  • 7,742 posts
  • Joined: 31-October 04
  • Location: Oxford, UK

Posted 13 November 2012 - 08:47

Bear in mind that as you said, you just logged in. As part of the logging in process, you provided an unencrypted version of your password. It would be easy as part of the login process for them to check that against a stored list of weak passwords, and forward you on to a page warning you of its weakness, no need to be able to decrypt the stored password to do that.


#17 Haggis

Haggis

    Neowinian Senior

  • 2,697 posts
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 13 November 2012 - 08:48

Maybe i am just being dumb here but

when you type in a username it automatically check to see if thats available using ajax/jquery for example

whats stopping it doing the same for passwords before its encrypted?

#18 +GreenMartian

GreenMartian

    Neowinian Senior

  • 1,778 posts
  • Joined: 28-August 04
  • Location: adelaide, au

Posted 13 November 2012 - 10:53

Another "maybe I am dumb" question here..

Isn't it the case that when you create a password, that it would be transmitted unhashed anyway? (plaintext - over SSL of course!) So the server receives it as plaintext and can easily do text comparison to a list of unsecure passwords?

Then when it saves it, it would salt+hash the password. When you login, it would do the same thing - transmit plaintext, then the server hashes it and compares it with the stored hash?

#19 OP n_K

n_K

    Neowinian Senior

  • 5,402 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 13 November 2012 - 15:05

Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day :p

#20 +Majesticmerc

Majesticmerc

    Resident Idealist

  • 6,198 posts
  • Joined: 24-August 05
  • Location: United Kingdom
  • OS: Arch Linux / Win 7
  • Phone: HTC One X

Posted 13 November 2012 - 22:28

Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day :p


Well they're using HTTPS so it's technically still secure... Right?

#21 OP n_K

n_K

    Neowinian Senior

  • 5,402 posts
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 13 November 2012 - 22:32

Well they're using HTTPS so it's technically still secure... Right?

Yep it's all secured over HTTPS but the password isn't MD5'd before it's sent so it can check if your password is weak or not.