Helping people with computers... one answer at a time.

Many people would like to recover their current forgotten password rather then reset it. However if security's been done correctly, it's impossible.

I've forgotten my MSN Hotmail password and I could easily reset it, as I DO still have access to my alternate email account that I provided and I DO remember the answer to my secret question.

However, it is imperative that I do not change/reset the password, but instead recover the old one. It's very complicated, but basically I have used the same password for several things and I cannot afford to lose it.

What I am really asking is "Is it possible to merely recover my MSN password rather than reset it??"

I normally don't respond to password requests any more unless there's something new, like a change in Windows Live Hotmail's password recovery mechanism.

I've been getting the question above off and on for years. Even though many requests are possibly legitimate, I can't tell which ones are, and thus have to address them as password hacking attempts. In other words, I have to ignore them.

But it dawns on me that there are some valuable lessons to be learned here.

Once again, I'll cut to the chase and just tell you that no, there's no way to get your existing password back from MSN Hotmail or from any security-minded service provider, free or not.

Care to know why?

They don't know your password.

You probably think I'm nuts, but I'm absolutely 100% serious. A properly secure authentication scheme, such as that we would hope is used by services such as Hotmail, does not store your password. Instead, they store a one-way encrypted or hashed form of your password. When you login they encrypt whatever password you enter using the same algorithm, and if the encrypted value matches the encrypted value they have stored for you, then you must have entered the correct password.

"... there's no way to get your existing password back ..."

Let's say your password is:

Pass!werd

Not an unreasonable password, hard to guess, short and probably easy-ish to remember.

Using a hashing function (geeks: I'm using SHA1 in my example, but there are many approaches), that password is transformed into:

187483f86b7c516e35dc52aa30797f44e73ec734

Looks nothing like your password, right? However there are two incredibly important characteristics of this transformation:

  • The chances of any other password generating exactly the same encrypted string are infinitesimally small.

  • There's no way to go backwards.

Re-read that second point. It means that in the example above there's no way given the "187483f86b7c516e35dc52aa30797f44e73ec734" to figure out that the password you used to create it was "Pass!werd".

The result? There's no way for the service to tell you what you password is, because they just don't know. They'll know the value that it encrypts into, but that cannot be used to reverse-calculate what the password actually is.

Why?

You're probably asking yourself why do services go through this messy encryption stuff ... why not just store the password directly? Wouldn't that be easier? It would certainly allow them to tell me what my password is rather than forcing me to choose a new one.

In a word: security.

If someone hacks the service and somehow steals the user database, what do they have? If they only have encrypted passwords, they have nothing of any use. As a result, it's considered "best practice" from a security perspective to never store the actual password, but rather store an encrypted token derived from the password instead.

So how do password resets work? It's the one time that the system briefly knows your password, because they:

  • pick a new password for you

  • encrypt it

  • save the encrypted password in their database

  • email the UNencrypted password to the email address of record

But even then, note how they did not save the unencrypted password. They emailed it to you and then promptly "forgot" it, remembering only the encrypted form.

Article C3262 - January 9, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

17 Comments
Just J
January 9, 2008 1:40 PM

Message to Arben: You have clearly NOT read the article (or failed to understand it).

Nice example of password encryption though Leo!

Chuck Arnett
January 9, 2008 2:16 PM

So if a site sends you a new password, and they have only an encrypted form, then your computer has to know what algorithm to use to duplicate the encryption. How does it find that out? Also, does your computer store the password or the encryption when you tell it to remember your password? If your computer stores the password, is there any way to access it?

Simon
January 10, 2008 4:53 AM

>It means that in the example above there's no way given
>the "187483f86b7c516e35dc52aa30797f44e73ec734" to
>figure out that the password you used to create it was "Pass!werd".

Not quite true. There's no direct way, certainly; but with passwords below a certain length, there is an indirect way of going 'backward': rainbow tables.

These are basically a vast table of precomputed hash values for every possible password, from aaaaaaa upwards. The original computation of these hash tables is obviously ridiculously time intensive, but it only needs to be done once; after that, getting a password from a hash is just a matter of comparing the hash values until you get a match, which is a quite quick task. And, as you'd expect, rainbow tables for the most common hashes (MD5 etc.) are freely available on the internet (bittorrent etc.).

Obviously, though, as password length increases, the length of rainbow tables increases exponentially (Formula: no. of allowable characters ^ length). Rainbow tables for up to 7 character lowercase alphanumeric passwords are under a gigabyte, meaning the whole table can be stored in RAM on a modern computer; making finding a password a matter of seconds. Add in the 33 non-alphanumeric characters, though, and the size shoots up to 8 GB -- for 7 characters or under passwords. Adding in an eighth character, or allowing uppercase characters, makes the size shoot up to the hundreds or thousands of Gigabytes -- time-consuming, but definitely not impossible for someone who has stolen the database and can run the algorithm at their leisure.

A nine character non-alphanumeric password like "Pass!werd" is thus probably effectively immune from this effect, purely for reasons of time. But only today! Just as the amount of time it takes to use this technique increases exponentially with password length, so does the power of computer hardware with time increase exponentially -- Moore's law. Give it another half decade, and hardware will probably be powerful enough for a 9 character password to be viably cracked with rainbow tables.

The most common use of Rainbow tables is thus against Windows' LMHash; which versions of Windows prior to Vista used by default to hash login passwords. The thing about LMHash is that it splits passwords under 14 characters into two 7-character-long strings (and converted everything to lowercase); making it very easy to be crack using 7-character rainbow tables.

There are good defenses against rainbow tables. For the user, use long passwords (>8 characters), and avoid dictionary words (even a seven character rainbow table will probably have the hashes of all dictaionary words included; compared to the rest of the database the size they take up woud be minimal).

For the system administrator, there is a technique called 'salting' -- prepend a sequence of characters to every password, hash that, and store the sequence in plaintext; prepending it to every password that user tries to enter. E.g. User: AskLeo, Password: shortpwd, Randomly-generated-string: 64795138. The system would hash "64795138shortpwd", and store "AskLeo", "64795138", and the hash in its database. Any time AskLeo tries to log in, the system would add "64795138" on to the beginning of the password you enter, hash that, and see if that hash matches the stored one. If the string is long enough, even though the cracker knows the string they would have to make a new Rainbow table for each user (For AskLeo, 64795138aaaaaaa to 64795138zzzzzzz; for someone else, maybe 13576824aaaaaaa to 13576824zzzzzzz); which destroys the whole point of using rainbow tables.

Ken B
January 10, 2008 8:40 AM

Chuck:
> your computer has to know what algorithm to use
> to duplicate the encryption

Your computer doesn't need to know anything about the site's encryption methods. Your computer sends the password itself to the other computer, and the other computer then encrypts your password to see if it matches the saved encrypted version.

(Hopefully, your computer and the other computer are using a secure means of communication, such as https rather than http.)

Ronny
January 10, 2008 4:03 PM

I don't understand how it is possible for a computer to run a password through a formula to convert it to something else but not know how to reverse it; assuming, of course, that you know the original formula.

If I do something simple like adding 7 to each ASCII value, I just subtract 7 to reverse it. I know the conversion is more complex than that. That just makes the reversing more complex, not impossible. Right?

Leo A. Notenboom
January 11, 2008 9:49 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, it most certainly IS possible. Unfortunately I don't
have a clear metaphor against which to draw a comparison.
The concept of one-way hashes are nothing new, really, and
the foundation of modern cryptography. No, it's nowhere near
as simple as just adding something you could later subtract.
It's quite complex mathmatics.

(In fact the PGP signature below this message is another
example of hashes being used :-).

Thanks,

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHh6w7CMEe9B/8oqERApdzAJ41AfzyeCqU2mo7ZfQtA1D94wuz4wCffAbM
ARNHwGc/FieBU2XlORHtdqU=
=pwr6
-----END PGP SIGNATURE-----

ammir@msn.com
January 25, 2009 2:42 PM

So if a site sends you a new password, and they have only an encrypted form, then your computer has to know what algorithm to use to duplicate the encryption. How does it find that out? Also, does your computer store the password or the encryption when you tell it to remember your password? If your computer stores the password, is there any way to access it?

Shahid
May 3, 2009 8:46 AM

Where i see my password of my hotmail account

As outlined in the article you just commented on: you cannot.
- Leo
04-May-2009

yaya
January 21, 2010 5:56 PM

i encountered the same problem, i forget my mial password . my friend suggest me to use the software called password genius, i tried, and find it very amazing that it only took a few minutes to display the account and password. I highly recommend it to you. here it is:
http://www.password-genius.com/how-to/how-to-find-out-my-windows-live-messenger-password-msn-password.html.
hop to help you.

adele
September 24, 2010 8:28 AM

hi i just want to change my msn password & i don't know how to do that can u help me?
tanks

Sam
January 6, 2011 2:06 PM

I've lost msn password and even the answer to my question . How do i retrieve my password loke this anyone?

This article discusses recovery options for the various ways that Hotmail accounts can be lost or compromised: What are my Lost Hotmail Account and Password Recovery Options?
Leo
11-Jan-2011

Bridget
June 29, 2011 12:30 PM

I didn't forget my password, my msn was hacked and now I can't get back on it. I want my old msn back what can I do? Everything is linked to it I really need it back! HELP ME PLEASE!!

Mark J
June 29, 2011 1:28 PM

@Bridget
Same answer as above.
This article, already on Ask Leo, discusses recovery options for the various ways that Hotmail accounts can be lost or compromised and I believe applies in your situation:
http://ask-leo.com/C4445

Simon chang
January 2, 2012 3:15 PM

There is a great password Recovery Tool called Best pass recovery , its the ultimate solution for password recovery , it can recover passwords from IE , Firefox, Chrome , opera, windows live messenger , outlook , RAS and more , u can give it a try if u like , its available on {link removed - use Google if interested}

Actually there are several tools that can recover passwords you've allowed your software to remember for you. I've never heard of this specific tool. I would instead recommend the tools from http://www.nirsoft.net/, which I've used myself.
Leo
02-Jan-2012
Filippo
December 13, 2012 6:26 AM

Hey Leo
I want to know where msn store my forgotten password in my computer?

Mark J
December 13, 2012 8:01 AM

@Filippo
I don't know where MSN stores the password on your computer, but you can Google something like 'retrieve remember me passwords' and find a utility which can usually retrieve this password.
I forgot my password - can I somehow get my auto-login remembered password?

shakib ahmed
January 25, 2013 11:20 PM

i use hotmail last 6 yeras i like it

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.