I can't find it now but I seem to remember this came up in response to another breach ~24 months ago. At that time they made an announcement to the effect that from then on you'd no longer be able to have your password sent to you if you forgot it, but that you would instead need to use an account recovery key.
I took that to mean that prior to being pwnd they had been storing passwords cleartext and would no longer be doing so.
Also, the wording about allowed special characters seems to be incorrect. I personally have a non ./-/_ special character in mine. Unless they are doing something terribad like silently discarding noncompliant parts of the password.
Re: password length - at least 32 characters is respectable. I believe last time I used outlook.com they had a max length of 12-16!
Oh and on the topic of silently discarding portions of passwords, another outlook.com password deficiency (circa 2011, doubt it still exists):
When setting the password, max length was only enforced by a text input with a max length attribute. You could happily type more characters and everything would work as expected....until you went to log in. The max length on the password field on the login form was greater so those characters that were silently dropped when setting the password suddenly weren't.
I took that to mean that prior to being pwnd they had been storing passwords cleartext and would no longer be doing so.
Also, the wording about allowed special characters seems to be incorrect. I personally have a non ./-/_ special character in mine. Unless they are doing something terribad like silently discarding noncompliant parts of the password.
Re: password length - at least 32 characters is respectable. I believe last time I used outlook.com they had a max length of 12-16!