It has been a few days since I noticed what I am about to describe and since no one (as far as I know) has brought this issue forth, I guess it is up to me to address the elephant in the room. (No, I do not mean you, Christina. I do not mean you, this time.)
I log on to my Hotmail account every day. A few days ago, I tried to log on, only to encounter a message that said something like the following: My password was longer than 16 characters, so Hotmail kept the first 16 characters, so I should use these first 16 characters as the password in order to log on. And Hotmail would accept passwords up to 16 characters from now on.
Indeed my password was longer than 16 characters, so I used its first 16 characters and I logged on successfully. Immediately, I knew right there and then that Hotmail had been storing my password as plain text all along. Or with reversible encryption, at best. Otherwise, it wouldn’t have been able to deduce the first 16 characters from it.
But Hotmail should not have been storing my password this way. It should not have been storing my password at all. It should have been storing a hash of my password. A hash with salt and pepper, iterated many times. When I say salt, I mean a string unique to my account that is added to my password in order to change the hash of my password in a unique way only for me. When I say pepper, I mean a string common to all accounts that is also added to all passwords in order to further change the hash of each password; the difference is that the pepper is not stored in the password database. The password database has the salt and the computed password hash. Only the algorithm that computes the hash has the pepper and uses it with the salt and the password to compute the hash. And it should compute the hash doing not one but many iterations, so as to make hostile mass brute-force calculations very time consuming.
Now there are a lot of people who think that pepper is not all that important. They base their opinion in the fact that once an attacker gets an entry to the system, she has access to all information, including the pepper. I respectfully disagree. Sometimes the hacker is only able to get the password database and not the algorithm that computes the hashes. In that case, the pepper will save the day. The hacker will not be able to deduce the passwords from the hashes, because she will be missing the pepper. Anyway, this is an involved subject so I should leave it here, for now.
(I beg your pardon, Christina? No I do not think this is your order. I think that this is the buffet they prepared for the party we will have in our department… Oh, what’s that? The buffet is in the other room? Oh, ok Christina, you were right, this is yours.)
So, it appears that Hotmail had not been storing the hashes of the passwords; it had been storing the actual passwords all along. That’s an extremely bad practice. In the words of Nicholas Fehn: “No!… You can’t…” If a hacker gets the password database, she immediately has the passwords, without having to do any computations.
Of course, I described the worst case scenario. Hotmail could have been storing the passwords using reversible encryption. Perhaps Hotmail would use an encryption key to encrypt each password and it would not store the encryption key in the database. This way, the hacker would have to get the database and the algorithm along with the encryption key, in order to successfully deduce the passwords. Still, the method with the salt, pepper, and iterated hashes is the best practice and that is what Hotmail should have been using all along.
You might say: “Better late than never”. No, not so fast. First of all, 16 characters are not a lot. Since we should use passphrases as our passwords, our passwords should usually be more than 16 characters. Anyway, that is not the only thing that is strange here. What puzzles me most is the timing. How come this change happened now? Was there a particular reason that made Hotmail change its way of handling passwords and to make this change now?
The moment I encountered the message from Hotmail when I tried to log on, I thought that Hotmail made the change out of fear because of the recent hacking incident that happen in LinkedIn. LinkedIn had not been using the best practice I describe earlier for storing passwords, so when a hacker obtain the LinkedIn’s password database, he or she was able to obtain the users’ passwords. This incident happened a few days before I encountered Hotmail’s log on message. So, I thought that this was what triggered the change in Hotmail’s procedures. And I thought: “Good for Hotmail. Better late than never”.
But I too should have waited. You see, a few days later, Microsoft announced the new Hotmail: Outlook.com. Hotmail is revamped with a new look and extra domain name. So, is this a coincidence? Did the change in password handling had anything to do with the change to Outlook.com or these two were completely unrelated? Perhaps I will never know. But what it would be interesting to know is whether the change in password handling politics came out of fear and urgency because of LinkedIn’s breach or because it happened as a byproduct of a general renovation. Because in the first case, I would say: “Better late than never. Hotmail understood that its methods were substandard and did something about it”. Whereas in the second case, I would say: “Hotmail’s apathy is puzzling. It did not care to change its substandard methods, even after LinkedIn’s devastating hacking incident. The change to its methods would not have happened if it were not for the Outlook.com renovation.”
I do not think I will ever find out what really happened. So, the proper and fair thing to do is to give Hotmail the benefit of the doubt. (No, Christina! Don’t eat the whole chicken at once! I cannot watch this!)
Update at June 23, 2013: I am afraid that my opinion presented in this blog post is incorrect and Hotmail may have operated in a completely secure fashion. I just thought of the following scenario:
Hotmail does not keep my password stored. It only keeps a hash of it. At some point, Hotmail decides that every user should have a password no longer than 16 characters. So, what it does, is it waits for each and every user to log in. As each user logs in, Hotmail hashes the password the user gave and compares the hash with the one it has stored for this user. If the hashes match, then Hotmail knows that user gave the correct password and also knows this password for this brief moment of the login process. So then Hotmail counts the characters of the password. If they are longer than 16, then Hotmail truncates the password to its first 16 characters, calculates the hash of that and sets this hash as the new password hash. Then Hotmail tells the user to log in again, with the first 16 characters of her password.
So there was no need for the password to be stored in order for this whole procedure to work. So, I guess that this is the way Hotmail operated. So, Hotmail operated in a completely secure fashion, I should have given Hotmail the benefit of the doubt and I should have never doubted Microsoft. I was incorrect, I sincerely and humbly apologize and I deeply regret any inconvenience and wrong impressions my foolish accusations gave.