passwords that get sent in plain text?
Results 1 to 8 of 8

Thread: passwords that get sent in plain text?

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    172

    passwords that get sent in plain text?

    apparently a lot of services that require a login still handle the username and password as plain text, making it relatively easy to get with a sniffer. i remember a nifty exhibit concerning this at defcon, it was called the "wall of sheep". anyway, i want to know:

    1. what services still send passwords out in plain text? if i log in to any web interface that isnt using https or some encryption layer(message boards, web mail, etc.), is my info just being sent in plain text? what about a pop3 email account or a video game like world of warcraft or guild wars?

    2. what can a i do about it? is there some kind of personal encryption layer that i could use? i'm not sure if that would work because the server would have to decrypt it on other side.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    There will always be systems that use plain text that you have to use... The idea is to trust your local network (the odds of the data being sniffed as it crosses the Internet is much less likely) and trust the recipient and do your best (at least with the local network) to ensure it's secure..

    As far as what's plain text... that's endless, some of the major ones are: HTTP, FTP, Telnet, POP3, SMTP, IRC... however there are options for most of these..

    Instead of using HTTP, use HTTPS... if a site doesn't use it, question why or don't use the site... also ensure that the site isn't using it's own local encryption methods (then HTTPS may not be needed)

    Instead of FTP use SFTP... most places these days will provide it as an alternative

    Instead of telnet use SSH... there will seldom be times when telnet is actually needed, SSH should always be used instead...

    Instead of POP3 use pop3s... if that isn't an option investigate a new mail provider..

    Instead of SMTP use smtps... again same as above..

    Instead of IRC use IRC over SSL or move to SILC..

    However the number of plaintext protocols is practically endless... especially as people devise their own apps.... The idea is to control as much as you can and have a little faith....

    For things like personal encryption you could encrypt your email (which you should do anyways as it crossing the wire in plain text can be as bad as your password crossing)..

    Anyways you have to realize that plain-text protocols aren't what you should be afraid of... there are many things out there that are much worse...

    Secure your local network and you've done everything you can... Everyone uses plain text and, so far, most of us have not had a problem with it..

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    i'm going off to college in the fall and i'll be using the college's network via my dorm. i dunno what kind of security they'll have, but to me it seems that it would be very easy for someone to sniff. if they mac spoof they would probably be pretty difficult to catch, so i dunno if disciplinary action(which is probably severe) will be much of a deterrent.

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Everything and everybody can be traced. Even those that "mac spoof". As long as you have access to the routers and switches you can trace someone up to the port s/he is connected. After that it's a matter of following the wire.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    you mean the physical ethernet ports of the router, not tcp/ip ports, right? what if they use wifi?

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by slinky2004
    i'm going off to college in the fall and i'll be using the college's network via my dorm. i dunno what kind of security they'll have, but to me it seems that it would be very easy for someone to sniff. if they mac spoof they would probably be pretty difficult to catch, so i dunno if disciplinary action(which is probably severe) will be much of a deterrent.
    On that type of network I would not conduct any sensitive business over a clear text connection.. By sensitive I mean, health and medical history, banking, etc...

    However, all of those services will use atleast 128bit encryption.

    Do you really stand to lose a lot if somebody gets into your google or hotmail account? Even those use https for the authentication. In order to assess the risk that you face you have to think about how much will it cost you if xyz data is intercepted. I would imagine for a college student as long as you make sure you cover yourself for identify theft, you don't have much else to worry about.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by slinky2004
    you mean the physical ethernet ports of the router, not tcp/ip ports, right?
    Correct..
    what if they use wifi?
    Triangulation..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by slinky2004
    i'm going off to college in the fall and i'll be using the college's network via my dorm. i dunno what kind of security they'll have, but to me it seems that it would be very easy for someone to sniff.
    You can minimize this risk if you have the following:
    - Broadband, always on connection at home (best if it has static IP, but possible if it's dynamic)
    - Extra computer

    Set up a SSL server at home that you can connect to. You can then route all your sensitive traffic (web browser, instant messenger programs, etc.) through that. Now, I've never personally done this, but I know it's more than possible.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •