Ask HN: Is hotmail.com/outlook.com storing passwords in clear text?

1 points by xriddle ↗ HN
When you have to reset or change your hotmail/outlook password you can not use a previous password or a variation of it. I can understand not using the exact same password and checking it against a previously stored hash, but how can they know a various of my pass without storing it in clear text? Example if I user QWERTASDFG as my pass they will not allow QWERTASDFG!@#$% as my reset pass? The hash for these 2 passes would be completely different so how do they pull this off.

5 comments

[ 8.6 ms ] story [ 29.8 ms ] thread
This is not rocket science. They probably store it encrypted, and decrypt in RAM when they need to validate things like that. It's not the first company to have this restriction. I know some companies that prevent parts of day names in the password, for example.
"I know some companies that prevent parts of day names in the password, for example."

That is a little different. Its one thing to check against a list of restricted words common to everyone and a list of previous passwords used by a single user.

That is true.
Yeah checking against a dictionary is one thing, but I've never used anything remotely close to a dictionary word and they can still detect partial password matches.
They could hash substrings or variations of the new password and check against the original hash. Further, I guess they could be storing hashes of several modified passwords, but that seems unlikely.