For Microsoft's new policy to work with existing passwords, Microsoft must have been doing one of the following:

* store full plaintext passwords in their db; compare the first 16 chars only 
* calculate the hash only on the first 16 (or fewer); ignore the rest

So, which of the two is more horrifying?  Read the article.
Shared publiclyView activity