Which is why I keep asking the question.. Can someone point me in the right direction as to where an ethereal capture of my login/pass to Yahoo Mail (or any other site for that matter that _does_ not use ssl/ssh connections) will lead to a compromise.
I've seens things like "....user=someuser&.pass=&*#IDJ&$Jjs74f;604ksu455ldkg&.statu=......." something like that. Can someone use a crack tool like jack the ripper or some other variants to crack it?
As I asked a few times already. How does my PC know what to encode/encrypt
the plain-text pass I type in into that hash that Yahoo/whatever login/pass
combo i enter for any site that needs pass access.
The short answer is that it depends upon the nature of the client. There are techniques for authentication that do not involve sending an encoding of the password from which there is no possibilities of decoding it. There are also techniques that involve lightly encrypting the password and there's every possibility of decoding it. Your example password could be either. If I was optimistic I'd say it was the former, but in security I tend to lean towards pessimism.
There are two ways to get an answer to your question: ask your ISP (Yahoo?) and see what they say; or take a long hard look at all the JavaScript and whatnot that comes down with the login page and see what it does. You'll have to decide for yourself whether or not the encoding or hashing of the password is sufficiently secure for your needs -- it's certainly off-topic for this list though.
I'm sorry, I don't mean to sound unhelpful, but it is rather difficult to answer questions about security like this with so little information. You really do need to move the questions to a list that talks about this kind of thing, or at least go searching on google.
jch
-- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
