Newbieish question about standard security practices

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I've just been learning how to use Ethereal and have been looking at
how authentication is handled by various websites.  I found that sends your username and password as clear text.  Is this
normal practice, and is it particularly irresponsible (the answer can
be yes to both questions at once)?  They don't have your bank account
number or anything extremely sensitive like that, but probably half of
the users have the same username/passwords for other sites that you do.

Re: Newbieish question about standard security practices

I think it is irresposible in this day and age, especially when so many
better solutions exist. Network sniffing is so common now. In the past,
you at least had to have some skill to understand a network sniffer to
steal passwords. Now, any 13 year old script kiddie can download one of
a thousand password sniffers and start stealing your information.
Publicly accessible networks like wireless hotspots, college/school
networks, public libraries and internet cafes only make the issue more
urgent. My girlfriend was going to one of the big universities here in
Chicago and asked me one day how safe was it logging on to her personal
email accounts through her schools network. Curious to find out myself,
I fired up Ethereal on her WinXP PC and was totally suprised to find
out we were not on a switched network. I could see all the traffic on
my physical segment of the network. I downloaded a  Windows password
sniffing utility thats popular with the script kiddies called Cain,
just to see what it would capture. I was shocked at what it found.
Within hours it had captured over 50 plain-text passwords. Even the
university's own internal pages that allowed access to students
personal information were authenticated in plain-text. Something as
simple as just authenticating over a SSL connection would be infinitely
better than no protection at all.

Re: Newbieish question about standard security practices wrote:

Quoted text here. Click to load it

It (including base-64 basic authentication) is very common, which is why I'd
stop short of calling it "particularly" irresponsible.

However, IMO web sites requiring authorization should use an encrypted
connection, which should be protected by using a generally recognized
certificate. Granted, many users would still fall for a MITM attack, but
performing one is much more complicated than grabbing the plain text or
base-64 passwords off the line.



Re: Newbieish question about standard security practices wrote:
Quoted text here. Click to load it


Yes it is irresponsible, yes it is fairly common practice. You many
want to poke through your cookies sometime as well. It's amazing how
many cookies store authentication information that is usable in a
replay attack.

It's just a matter of lazyness and site managers not doing the due
dilligence to protect their customers interests. SSL-izing the website
would prevent sniffing, that doesn't even require any code, just
properly configuring the server.

Open source modules are available for doing this correctly even using
straight port 80 tcp, and take very little additional effort to


Site Timeline