It would make it harder for them to impersonate their users and read all their mail. I would still be concerned that they want to run a rainbow table attack against it though. They should not steal user credentials at all, because it is simply not necessary for a functioning email client.
They would use the hashed password to login to the server, using something like XOAUTH2. That’s the point of the hashed password. It accomplishes nothing other than revocation, which can be done already by changing your password.
What you are referring to is called an access token and has nothing to do with hashed passwords. A hashed password cannot be used directly to authenticate, otherwise it would not be a hashed password, but just a password (or access token, which is the same really).
I don't understand how hashed passwords got into this discussion though. My point is that microsoft should have no way to authenticate as an outlook user against their third party mail provider without the user explicitly giving them permission to do so and what they do is strictly unnecessary to provide the functionality of an email client.
It would make it harder for them to impersonate their users and read all their mail. I would still be concerned that they want to run a rainbow table attack against it though. They should not steal user credentials at all, because it is simply not necessary for a functioning email client.
What?
They would use the hashed password to login to the server, using something like XOAUTH2. That’s the point of the hashed password. It accomplishes nothing other than revocation, which can be done already by changing your password.
What you are referring to is called an access token and has nothing to do with hashed passwords. A hashed password cannot be used directly to authenticate, otherwise it would not be a hashed password, but just a password (or access token, which is the same really).
I don't understand how hashed passwords got into this discussion though. My point is that microsoft should have no way to authenticate as an outlook user against their third party mail provider without the user explicitly giving them permission to do so and what they do is strictly unnecessary to provide the functionality of an email client.