Question
What are the implications (if any) with regards the transfer of user passwords over the network. Are passwords ever passed over the network in clear text and if not how are they transferred?
Answer
There are many instances where passwords may be sent over the network. In general, the older network protocols tend to use plain text passwords and have been modified to introduce encrypted versions.
- For HTTP and HTTPS we use a “weak encryption”. That is, one that is intended to stop casual observation of passwords but would not be defence against a brute force attack. If the customer is using HTTPS, then there is an additional layer of encryption offered by SSL which is now a standard addition to all web browsers. To install SSL, a key is required which can be obtained from Gordano sales.
- For POP passwords are transfered in clear text. POP has been modified and APOP introduced to stop passwords being shared over the network. If all the POP clients support APOP, GMS can REQUIRE APOP authentication.
- For IMAP4 passwords are transfered in clear text. IMAP has been modified and several authentication methods introduced to stop passwords being shared over the network.
- In SMTP, passwords are encrypted using MD5 or CRAM MD5. Users typically authenticate SMTP to allow them to send email to any destinations (by default, SMTP will not allow messages to be relayed).
Keywords:passwords security network encryption apop etrn