Secure Yahoo logins

From: Jeremy (prrthd@myrealbox.com)
Date: 08/28/02

Previous message: Kayne Ian (Softlab): "RE: More on Shatter"
Next in thread: Roland Postle: "Re: Secure Yahoo logins"
Reply: Roland Postle: "Re: Secure Yahoo logins"
Reply: John Madden: "Re: Secure Yahoo logins"
Reply: Nick Jacobsen: "Re: Secure Yahoo logins"
Reply: Alan McCaig: "Re: Secure Yahoo logins"
Reply: Chris Caydes: "Re: Secure Yahoo logins"
Reply: Chris Caydes: "Re: Secure Yahoo logins"
Reply: Kayne Ian (Softlab): "RE: Secure Yahoo logins"
Reply: Muhammad Faisal Rauf Danka: "Re: Secure Yahoo logins"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Jeremy" <prrthd@myrealbox.com>
To: vuln-dev@securityfocus.com
Date: Tue, 27 Aug 2002 22:10:48 +0000

Hello all,

  Recently, it has come to my attention that many of our users are using the standard login to access their yahoo accounts. I want to push a policy that requires them to use the secure login option instead. I would like to show my boss that you can capture the username and password by simply doing some sniffing.
  Well, to do a test I fired up ethereal and captured a session of me logging into a new yahoo account. What kind of suprised me is the password looks encrypted. My first guess was it was just base 64 mime encoded but that turned out to be wrong. Does anyone have any idea on how they encrypt their passwords or have any tools that will try and crack the passwords.
  My other question is if the passwords are encrypted why do they offer a secure login option? How does that increase security, other than adding a brief ssl session.

Thanks,
Jeremy

Previous message: Kayne Ian (Softlab): "RE: More on Shatter"
Next in thread: Roland Postle: "Re: Secure Yahoo logins"
Reply: Roland Postle: "Re: Secure Yahoo logins"
Reply: John Madden: "Re: Secure Yahoo logins"
Reply: Nick Jacobsen: "Re: Secure Yahoo logins"
Reply: Alan McCaig: "Re: Secure Yahoo logins"
Reply: Chris Caydes: "Re: Secure Yahoo logins"
Reply: Chris Caydes: "Re: Secure Yahoo logins"
Reply: Kayne Ian (Softlab): "RE: Secure Yahoo logins"
Reply: Muhammad Faisal Rauf Danka: "Re: Secure Yahoo logins"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: passwords in asp pages
... and using integrated security for connecting to the database- this will ... remove cleartext passwords from the files. ... grab the raw asp source from the server. ... to facilitate one-on-one interaction with one of our expert instructors. ...
(Security-Basics)
Re: Oh Dear, Where to start?!
... > sort of security solution? ... > use, passwords, physical security, backup/disaster ... > admin, network admin, tech support, programming, and ... Theres lots of software out there for backups. ...
(Security-Basics)
[NT] Webserver 4D Weak Password Preservation Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... complete Web Server environment written entirely on top of 4th Dimension, ... WS4D web server saves the passwords somewhere insecure. ...
(Securiteam)
Re: Final Year Project Brainstorming
... An interesting and always relevant topic is passwords. ... with a real-life scenario where Ubuntu's security is better than Vista ... The computers were very old so they were told they would have to ... Figure the cost of IT person for Vista vs ...
(Ubuntu)
Re: Electronic Storage of Class 1/ 2 Medical forms... "Best Practice"?
... This has proven to be more of a security ... it will be as secure as most of the stuff at the NSA (National ... the user is taken to the server directory where the form is stored. ... Are the passwords sufficiently ...
(rec.scouting.usa)