General [M]ayhem

Go Back   General [M]ayhem > Real Time Sub-Forums > CompuGlobalHyperMegaNet
Register Members List Mark Forums Read [M]erchandise Calendar

Reply
 
Thread Tools
VanFanel
THERE IS NO DATA HERE - NONE AT ALL! \o/
 
VanFanel's Avatar
 
whoa - did you know that outlook does not encrypt passwords?

If you have an email accounts setup to be retrieved by outlook; beware of the fact that outlook does not encrypt your passwords - essentially anyone with a packet sniffer can pick your password and user name up w/o a problem...
__________________
Das Auto.
Old 08-23-2006, 04:02 PM VanFanel is offline  
Reply With Quote
#1  

Advertisement [Remove Advertisement]

Shad0w
 
Welcome to POP.

Now try every other client out there and realize the same thing. There's a reason that smart people run it over SSL.
Old 08-23-2006, 04:03 PM Shad0w is offline  
Reply With Quote
#2  

jkoebel
 
Neither does any other mail client. Even mail clients with authentication just base64 your password. The only times it's encrypted is if your server uses SSL or SPA for authentication.

That's why the old addage used to be "e-mail is as private as a postcard."

It's not an Outlook thing, it's an e-mail thing.
Old 08-23-2006, 04:04 PM jkoebel is offline  
Reply With Quote
#3  

Shad0w
 
Quote:
Originally Posted by jkoebel
Neither does any other mail client. Even mail clients with authentication just base64 your password. The only times it's encrypted is if your server uses SSL or SPA for authentication.

That's why the old addage used to be "e-mail is as private as a postcard."

It's not an Outlook thing, it's an e-mail thing.

So beaten.
Old 08-23-2006, 04:05 PM Shad0w is offline  
Reply With Quote
#4  

VanFanel
THERE IS NO DATA HERE - NONE AT ALL! \o/
 
VanFanel's Avatar
 
wtf then - that's dumb is there anyway to force my email accounts to use SSL? I.e. I have SBC email accounts - do they offer SSL connectivity?


edit: wait wtf - I just found out that i can decrypt my password from my domain based email which DOES use SSL connectivity
__________________
Das Auto.
Old 08-23-2006, 04:05 PM VanFanel is offline  
Reply With Quote
#5  

Shad0w
 
Quote:
Originally Posted by Comrade Jew
wtf then - that's dumb is there anyway to force my email accounts to use SSL? I.e. I have SBC email accounts - do they offer SSL connectivity?

Try it and see. Just look for an option saying "Use encryption"
Old 08-23-2006, 04:06 PM Shad0w is offline  
Reply With Quote
#6  

Komataguri
 
I love how you people usurped his attempt to bash Microsoft with cold hard facts.


Makes me tingle somewhere deep inside.
__________________
hey guys I have a sig, look!
Old 08-23-2006, 04:06 PM Komataguri is offline  
Reply With Quote
#7  

jkoebel
 
Quote:
Originally Posted by Shad0w
So beaten.

Indeed, props you beat me by 1 minute.
Old 08-23-2006, 04:07 PM jkoebel is offline  
Reply With Quote
#8  

Shad0w
 
Quote:
Originally Posted by jkoebel
Indeed, props you beat me by 1 minute.

Fuck, this is what happens when I'm bored at work. Given the option of debugging plsql or sitting on genmay, i'll choose genmay almost every time.
Old 08-23-2006, 04:08 PM Shad0w is offline  
Reply With Quote
#9  

jkoebel
 
Quote:
Originally Posted by Comrade Jew
wtf then - that's dumb is there anyway to force my email accounts to use SSL? I.e. I have SBC email accounts - do they offer SSL connectivity?


edit: wait wtf - I just found out that i can decrypt my password from my domain based email which DOES use SSL connectivity

Most applications don't use any "major" encryption on passwords entered into them -- mainly because they don't need to.

In a sensitive environment, your PC is going to be secured by group policy with positive trusted access, and in a normal environment, you secure physical access to the PC with a network login (requiring DC authentication when returning from Lock, for instance) to keep people from messing around.

If you can't trust the people sitting right at your workstation, then it fundamentally isn't your computer any more. Pretty much all locally-cached passwords can be recovered, it is just a matter of knowing which cache to look in and what to XOR it with.
Old 08-23-2006, 04:09 PM jkoebel is offline  
Reply With Quote
#10  

Shad0w
 
Quote:
Originally Posted by jkoebel
Most applications don't use any "major" encryption on passwords entered into them -- mainly because they don't need to.

In a sensitive environment, your PC is going to be secured by group policy with positive trusted access, and in a normal environment, you secure physical access to the PC with a network login (requiring DC authentication when returning from Lock, for instance) to keep people from messing around.

If you can't trust the people sitting right at your workstation, then it fundamentally isn't your computer any more. Pretty much all locally-cached passwords can be recovered, it is just a matter of knowing which cache to look in and what to XOR it with.

What he said.

You have to keep in mind that your computer needs to be able to access that password to use it, therefore there's always going to be a way for it to decrypt it unless it prompts you for the password every time. SSL is a network encryption method, it's got nothing to do with your local machine's security.
Old 08-23-2006, 04:13 PM Shad0w is offline  
Reply With Quote
#11  

Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -7. The time now is 12:03 AM.



Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.