Sign in
Follow

What your users need to know about 'clear text' passwords

Beginner:

Users--Verify that the URL in your browser says "HTTPS://"  (note the "s")  rather than "HTTP://" on a website when you need to enter a user account and password.  

If you use HTTP:// when you log into a website a bad actor (“hacker”) has the opportunity to see and steal your user account and password.

If HTTPS does not work please contact your IT department for more options.  They may be able to suggest a Secure Password Manager.

Intermediate:

Unfortunately many websites and services today still offer un-encrypted login.   With un-encrypted login, the password is NOT encrypted and considered "cleartext" and can be easily decoded!   If you connect to a web-service via an un-encrypted login (HTTP) and a bad actor captures that same network traffic they may be able to use that same username and password to log on to your banking website or your companies secure servers (if you use the same or even a similar username and password on those sites).   You should either use "throw-away" passwords for these open websites or only connect to a website via " HTTPS ".

Here is how all of this works from a technical perspective.   For example, HTTP://login.yahoo.com  still offers  un-encrypted login  as you see below.   Note the little document icon to the left of the login.yahoo.com and no reference to HTTPS://.  See arrow below:

However if you simply add an " HTTPS://"  before the login.yahoo.com you will see the icon change to a green lock.   This means that you have a secure encrypted connection.   See arrow below:

Advanced:

If you Sniff the network traffic with any off the shelf freeware network analyzer (like https://www.wireshark.org ) you will see that you can clearly make out the password in “Clear Text” if you use HTTP. See highlight below:

POST / HTTP/1.1
Host: login.yahoo.com
Connection: keep-alive
Content-Length: 152
Origin: http://login.yahoo.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://login.yahoo.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: B=2s8ptrha98e1g&b=3&s=5t; ywandp=10001954694556%3A4258016092; fpc=10001954694556%3AZcONPF_r%7C%7C; ypcdb=6d057b8719da800d75c5710dea2b0d8d
username= test%40testme.com &passwd= iamapasswordyoucanread &signin=&_crumb=ZnLe2YXtw%2FL&_ts=1421426096&_format=json&_uuid=S6U4ACrnzSVm&_seqid=2&_loadtpl=1

But if you use HTTPS all you will see with a network analyzer is gibberish.

.....................;v..L|.>&.)*.9.W.O......+./..................3.2.9.../.5..................o.analytics.yahoo.com...... .................#..3t.........spdy/3.spdy/3.1.http/1.1uP........................................W...S..T.>P.....V_hwf/........L.P.R....../..+..................#..3t...http/1.1.http/1.0..............A0..=0..%.......U..,.z].d'&h.^..0 ..*.H.. .....0..1.0...U....US1.0...U. ..VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://www.verisign.com/rpa (c)101/0-..U...&VeriSign Class 3 Secure Server CA - G30.. 140409000000Z. 150409235959Z0..1.0...U....US1.0...U... California1.0...U....Sunnyvale1.0...U. . Yahoo Inc.1.0...U....Information Technology1.0...U....*.analytics.yahoo.com0.."0 ..*.H.. ..........0.. .......s*D.(...,A..tDs.X...5...{ 1...w&.>~.............j..+....W;...D#...:>..,i) u....#^c|..".Y.........[...N..".4..01..UU...n..c..YT..1.I4,....n...65...S.....z..V.r.{.gjU.r@.u-...I.......DK .+...O..v.%..z..-b.`."bEA.\.n...,..C.N. /..T...;.x.0>....^T....*y.C........n0..j0.U....0...*.analytics.yahoo.com0...U....0.0...U...........0...U.%..0...+.........+.......0e..U. .^0\0Z. `.H...E..60L0#..+.........https://d.symcb.com/cps0%..+.......0...https://d.symcb.com

Comments

Powered by Zendesk