At the 2600-coordinated Beyond HOPE conference (NYC, 1997), it was made
very clear to users that passwords transmitted in-the-clear would be
Right, passwords always have been the weakest link.
panel singled-out an unlucky telnet user, announcing a domain name and
Not just telnet is vulnerable, as you know. I've watched as
security consultants ssh to a site, logout, and procede to login to
another site using stock ftp. The people are not stupid or anything,
they just don't think - hey, this protocol sends passwords in plaintext.
You can get around that by establishing a secure tunnel or using
Skip/an IPSEC implementation, but most folks don't do that yet.
Perhaps that the kind of shock factor that's necessary to get people
(certain people, anyhow) thinking realistically about security. We even
Ding ding ding, you've been awarded the "have clue" prize of the
day ;). Think I mentioned this on coderpunks, but Schneier has two
"reality check" essays on Counterpane's site. Good reading.
considered sniffing passwords and hooking up a line printer in a central
location. nah! :)
Someone I knew who was using a weak password (a foreign word from a
semi-obscure foreign language) challenged me one day, claiming I would
never find it out.
A few keystrokes and a sniff later, the password was in hand.
Using pop3 to transfer your mail to and from an offsite system
can be very revealing ;)
Seriously though, it's frightening to think of all the possible
ways an account can be compromised, and the limited public education
on how to prevent or delay many of these attacks.
Dan
