Does hotmail store passwords in plain text?

By n_K
in General Discussion

 Share

Recommended Posts

Grand Master

n_K

Posted
Posted

I ask because when I sign in using an account I give as a 'spam this email' with an inheritly rubbish password I am greeted with a page displaying;

"Your password is too easy to guess

Your current password is on a list of passwords that hackers frequently try to use. Create a new one to help keep your account secure."

So either it's stored unencrypted, or reverse-encrypted or it's a one-way hash and they've got a list of hashes that are easy to guess?

Anyone know which it is?

Grand Master

+Majesticmerc MVC

Posted
  • MVC
Posted

If I were to guess, I'd say it was a list of hashes, or list of plaintext passwords scrubbed from obvious attacks. I doubt Microsoft would store Hotmail passwords in plaintext or reversable encryption. If they did I'd expect to see "this is your password" emails instead of "reset your password" emails.

Veteran

Shane Nokes

Posted
Posted

There are specific passwords that are simple to guess...that make an easy to decrypt hash. They are warning you on the basis of that fact.

Even if it's an account you don't use for anything other than spam it's still wise to protect it, just in case of any other links. You'd be surprised just how little information someone needs to make a link between things and go after master accounts and such.

Grand Master

n_K

Posted
  • Author
Posted

It's a spam account in that it's got nothing on it at all, doesn't even have email access.

It wouldn't store the password security on registered, it's a pretty old account from before they had the strength indicator :p.

I wouldn't think they'd use plain text or reversible encryption but I am starting to worry that they do, even if they stored it in plain text, they wouldn't allow you to see the password and would still require you reset the password.

"whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same."

Do you work for microsoft, can you say you've seen the database scheme to comment like you know exactly how their database is setup ?

Mentor

Skin

Posted
Posted

whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same.

Probably this.

I wager it is a simple look up to see what matches to common hashed items that they gleaned from hacker attempts, and also just basic common passwords that everyone and their brother use).

Best method to confirm would contact the Hotmail team/devs and look into it.

Veteran

Shane Nokes

Posted
Posted

It's a spam account in that it's got nothing on it at all, doesn't even have email access.

It wouldn't store the password security on registered, it's a pretty old account from before they had the strength indicator :p.

I wouldn't think they'd use plain text or reversible encryption but I am starting to worry that they do, even if they stored it in plain text, they wouldn't allow you to see the password and would still require you reset the password.

"whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same."

Do you work for microsoft, can you say you've seen the database scheme to comment like you know exactly how their database is setup ?

vcfan has not, unless I am mistaken. However I have...I worked on a team that was directly responsible for the monitoring and safety of Xbox LIVE so I have more than a little experience in this matter.

I cannot comment on specifics (of course for security reasons), but there's no need to worry about the level of security employed here. Just don't use an easy password...that's the point of that message. Easy passwords can be guessed without any sort of skill really required.

Mentor

Xoligy

Posted
Posted

They store them as a plain text file trust me ive seen it, i know your passwords! lol =P

Nah as said they will have a list of common passwords encrypted however they encrypt there passwords, they will then probably do a match up when you change your password and give you a warning if it matches one of the encrypted ones on there list. Shouldnt be anything to worry about, but if you are then just make it harder symbols and numbers are always nice.

Mentor

cybertimber2008

Posted
Posted

whats so hard to understand? if you password is hashed, then they've hashed common passwords and compare them to your hash,which ends up being the same.

But if you throw in salt, even the same password would not generate the same hash... because of the salt.

And I would hope they store salted passwords :-/

Grand Master

+Xinok Subscriber²

Posted
  • Subscriber²
Posted

I would expect that they use salted hashes, which would mean you couldn't compare it against a pre-calculated list of encrypted hashes either. More likely, the server tries to *guess* your password from a list of common passwords, meaning it would have to generate a salted hash for each password and compare it to the salted hash of your password. But for a small list of common passwords (100-1000), this would only take a fraction of a second to test for each account registration / password change.

Grand Master

DaveLegg Developer

Posted
  • Developer
Posted

Bear in mind that as you said, you just logged in. As part of the logging in process, you provided an unencrypted version of your password. It would be easy as part of the login process for them to check that against a stored list of weak passwords, and forward you on to a page warning you of its weakness, no need to be able to decrypt the stored password to do that.

Grand Master

Haggis Veteran

Posted
  • Veteran
Posted

Maybe i am just being dumb here but

when you type in a username it automatically check to see if thats available using ajax/jquery for example

whats stopping it doing the same for passwords before its encrypted?

Mentor

GreenMartian

Posted
Posted

Another "maybe I am dumb" question here..

Isn't it the case that when you create a password, that it would be transmitted unhashed anyway? (plaintext - over SSL of course!) So the server receives it as plaintext and can easily do text comparison to a list of unsecure passwords?

Then when it saves it, it would salt+hash the password. When you login, it would do the same thing - transmit plaintext, then the server hashes it and compares it with the stored hash?

Grand Master

n_K

Posted
  • Author
Posted

Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day :p

Grand Master

+Majesticmerc MVC

Posted
  • MVC
Posted

Right you are, it does send the password unencrypted! I always assumed it uses client-side javascript to MD5 it which is why I assumed it sent the details to an 'md5crum' page but it doesn't! Learn something new every day :p

Well they're using HTTPS so it's technically still secure... Right?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • Password Safe 3.72.0

      By Copernic · Posted

      Password Safe 3.72.0 by Razvan Serea Password Safe is a password database utility. Like many other such products, commercial and otherwise, it stores your passwords in an encrypted file, allowing you to remember only one password (the "safe combination"), instead of all the username/password combinations that you use. Once stored, your user names and passwords are just a few clicks away. Using Password Safe you can organize your passwords using your own customizable references—for example, by user ID, category, web site, or location. You can choose to store all your passwords in a single encrypted master password list (an encrypted password database), or use multiple databases to further organize your passwords (work and home, for example). And with its intuitive interface you will be up and running in minutes. PasswordSafe was originally designed by the renowned security technologist Bruce Schneier and released as a free utility application. Password Safe 3.72.0 changelog: Fixed bugs Improved font scale handling - should resolve font size issues on high resolution displays. GH1749 In the Master Password Setup window, "Show Master Password" is no longer truncated on some displays. GH1092, SF1595 Size and position of main window is now correctly restored on scaled displays. SF1630 Keep password expiry date when both password and password expiry are changed; don't clear a non-recurring expiry when the password's changed. SF1628 Custom values can now be copied to the clipboard in read-only mode via Ctrl-C and right-click->Copy Value. New features GH1196 Dark display mode support: Password Safe now supports the system display mode, as well as setting the mode directly via Manage->Options->Display->Display Mode. This change also updates the general "look & feel" of the app to the current Windows theme. Known limitations: The Date picker and keyboard shortcut controls do not switch to dark theme The Customize Toolbar dialog does not switch to dark theme Custom Field support has been added to the more advanced features: Filters XML and Text import and export Comparison, Sync and Merge databases SF938 Custom field values may now be selected by name and copied via a "Copy Custom Field Value..." submenu in the entry context popup menu. SF936 Notes and Custom fields layout now overlap, selectable by tabs, resulting in a more compact and less cluttered layout. SF935 Autotype: Specifying '\v{name}' in the autotype text will cause the corresponding value to be autotyped. Download: PasswordSafe 64-bit | Portable 64-bit | ~20.0 MB (Open Source) Download: PasswordSafe 32-bit | Portable 32-bit View: PasswordSafe Website | Quickstart Guide | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Google DeepMind AI Control Roadmap: When Alignment Fails, Defense-in-Depth Takes Over

      By +TRS-80 · Posted

      Google DeepMind published a document on June 18, 2026, that may be the most consequential admission yet from a frontier AI lab: alignment training alone cannot guarantee that AI agents will remain under human control, so structural containment must be built before more capable models arrive.............. https://www.techtimes.com/articles/318758/20260620/google-deepmind-ai-control-roadmap-when-alignment-fails-defense-depth-takes-over.htm  
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By Taliseian · Posted

      I've got a SoundBlasterX G6 that I use in my streaming setup. Sounds great to me and I've had zero issues with the ancient software package so far in Win11. That G6 has 7.1, Dolby, fully working SPDIF and since it's a USB device it's outside of my rig so I don't have to worry about EMF distortion. Looks like for now this is a pass for me as I think I have better hardware....
    • Creative Sound Blaster AE-X PCIe review: your headphones will love it

      By OldGuru · Posted

      How do you connect 5.1 Speakers to this thing?
    • A 13 billion year old secret about our Universe's origin was revealed

      By Taliseian · Posted

      I agree with both of you... It's absolutely imperative that science is completely based on actual proven facts and hard evidence and is not considered dogmatic in any way. Science is not a religion and it will never be, and that's exactly how it's supposed to be.

  • Popular Contributors

    1. 1
      +primortal
      502
    2. 2
      +Edouard
      170
    3. 3
      PsYcHoKiLLa
      88
    4. 4
      Steven P.
      75
    5. 5
      Michael Scrip
      73
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!