Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If your email provider supports CRAM-MD5 or DIGEST-MD5 authentication (on SMTP, POP3 or IMAP) — they're storing your password either in plaintext or reversibly encrypted.

If your ISP provides PPPoE, PPTP or IPsec-less L2TP connectivity and support CHAP, MS-CHAPv2 or PEAPv0/EAP-MSCHAPv2 authentication — they're probably storing your password in plaintext.

And while the email providers'd better start dropping this practice (as most mobile phones nowadays support SSL/TLS) and use TLS, ISPs are better stay with plaintext passwords. Wiretapping Ethernet, DSL line or open WiFi hotspot is orders of magnitude easier than hacking into the database. Obviously, that's only until the day majority of SOHO routers and other client hardware would support EAP-TLS.



CRAM-MD5 and DIGEST-MD5 are terrible for exactly this reason; a similar argument is part of the reason nobody uses HTTP digest auth. Mitigating this vulnerability is part of the motivation for SRP, which is computationally hard to brute force and non-reversable.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: