Public

For Microsoft's new policy to work with existing passwords, Microsoft must have been doing one of the following:

* store full plaintext passwords in their db; compare the first 16 chars only

* calculate the hash only on the first 16 (or fewer); ignore the rest

So, which of the two is more horrifying? Read the article.

* store full plaintext passwords in their db; compare the first 16 chars only

* calculate the hash only on the first 16 (or fewer); ignore the rest

So, which of the two is more horrifying? Read the article.