hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : How easy is it to sniff usernames/passwords on a website?
Reply

Forum Jump

How easy is it to sniff usernames/passwords on a website?

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-11-2005, 09:01 AM
Max Renn Max Renn is offline
Making it up as I go along
 
Join Date: Jun 2001
Posts: 726

How easy is it to sniff usernames/passwords on a website?


Hello,

Firstly, I am not a "hacker" or anything like that. I'm just being paranoid.

I have set up a seperate (online, web-based) business which will contain lots of reasonably important customer information (although no payment/credit card type information.)

The customers log into the site using typical username/password textboxes. The login does NOT use https.

The administrators also use the same login system when logging in.

How easy would it be for someone to sniff the administrator username & password?

If possible, I'd like to try it myself.

Any information appreciated.

Thanks,
Steve

__________________





Sponsored Links
  #2  
Old 01-11-2005, 09:25 AM
DennisCitus DennisCitus is offline
Junior Guru Wannabe
 
Join Date: Nov 2003
Location: TeleCity 2, Amsterdam
Posts: 60
I am wondering too.

Not only how easy can you sniff such data, but WHO can sniff such data?

All routers and servers used to transit this data?

__________________
Citus.nl - Dedicated Servers in The Netherlands
http://www.citus.nl - info@citus.nl

  #3  
Old 01-11-2005, 09:33 AM
pergesu pergesu is offline
Web Hosting Master
 
Join Date: Jun 2004
Posts: 789
It's not the easiest thing in the world. You have to be in between the client and the webserver for this. Meaning that the packets have to go through your machine (or one you have access to) en route to the server. But if you can get onto the route, then it's pretty simple if it's all being sent in clear-text. Somebody with a decent amount of knowledge could do it fairly easily.

Bottom line, if there's info that you want to protect, then you need to put in mechanisms to protect it. Hoping that people won't try to break your security is naive, because they will.

Sponsored Links
  #4  
Old 01-11-2005, 09:34 AM
pergesu pergesu is offline
Web Hosting Master
 
Join Date: Jun 2004
Posts: 789
Quote:
Originally posted by DennisCitus
I am wondering too.

Not only how easy can you sniff such data, but WHO can sniff such data?

All routers and servers used to transit this data?
Correct - if the packets come through you at any point, you can sniff the data.

  #5  
Old 01-11-2005, 10:40 AM
Slidey Slidey is offline
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
alternatively, if you're on the same hub/switch its possible too..

If the data is transferred in plaintext then its readable

  #6  
Old 01-11-2005, 10:54 AM
bitfuzzy bitfuzzy is offline
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 350
The above has been well stated.

I would only like to add, if the information is sensitive, you're doing yourself, your business, and your client base a dis-service not enabling "https" as this would encrypt the data being passed

*NOTE* https don't not mean you're 100% safe, though you are compared to how data's currently being passed

Just my 2 cents

  #7  
Old 01-11-2005, 10:55 AM
wilcorp wilcorp is offline
Junior Guru Wannabe
 
Join Date: Dec 2004
Location: Back side of the Moon
Posts: 38
people, please...

SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.

Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.

It truly is a no brainer.

my 2 cents...

  #8  
Old 01-11-2005, 11:00 AM
bitfuzzy bitfuzzy is offline
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 350
Quote:
Originally posted by wilcorp
people, please...

SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.

Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.

It truly is a no brainer.

my 2 cents...
FREE even if you have the ability to sign your own

  #9  
Old 01-11-2005, 11:09 AM
wilcorp wilcorp is offline
Junior Guru Wannabe
 
Join Date: Dec 2004
Location: Back side of the Moon
Posts: 38
well anything FREE comes with a Signiture or some tracking code or some bullpoop like that, remember there are also different grades of the same Certificate.

A 30.00 Cert. is about the minimum I would use, I do put them on clients sites, but for my own projects i opt for a little more name brand and I do pay for it, but they come with the extra insurance to help recover with should something go wrong.

It is important to know that a free Cert will not come with much support and this can be frustrating should the set-up process run into a snag.

my take, just use a reseller of the recognized name brand Certs., they are always cheaper, then check with your Host, if you are your own host, great, but do some homework, because even if you go the FREE route, if your like me you time is generally not free.

my 2 cents...

  #10  
Old 01-11-2005, 11:18 AM
bitserve bitserve is offline
Web Hosting Master
 
Join Date: Nov 2001
Location: Ann Arbor, MI
Posts: 2,978
Like bitfuzzy said, self signed certificates are free and don't have any tracking code. The only expense might be the IP address and paying someone to implement it.

__________________
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!

  #11  
Old 01-11-2005, 11:19 AM
bitfuzzy bitfuzzy is offline
Aspiring Evangelist
 
Join Date: Dec 2004
Posts: 350
Nah, I didn't meen freely available

I ment if he/she had the ability, and mod_ssl installed he/she could literly create his/her own cert, and sign it.

The only draw back is that visitors would need to accept it via a informational popup.

It typically takes 2-3 min to setup, though the first couple of times tend to take longer heh

  #12  
Old 01-11-2005, 11:20 AM
Slidey Slidey is offline
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
gone off on a bit of a tangent here...

  #13  
Old 01-11-2005, 11:22 AM
eWebtricity eWebtricity is offline
Junior Guru Wannabe
 
Join Date: Oct 2004
Location: Tampa, Florida
Posts: 80
Something else to note is to maintain good security on your site and server and follow good security policies and procedures. If someone gains access to your server (linux or windows) they can install free sniffer tools on your server or use the ones already there to capture all the userid/passwd's they want.

__________________
eWebtricity
Hosting | Web Design | Server Administration
http://www.ewebtricity.net | sales@ewebtricity.net
http://www.1and1faq.com 1and1 Customer Support

  #14  
Old 01-11-2005, 11:25 AM
thinkliberty thinkliberty is offline
Junior Guru
 
Join Date: May 2003
Posts: 181
If you want to test this out on your own home network and have a linux box. I suggest trying dsniff and ethereal (ethereal has a windows verison too)

Ethereal is a real eye opener on a switched network

  #15  
Old 01-11-2005, 11:32 AM
Slidey Slidey is offline
Web Hosting Master
 
Join Date: Apr 2003
Location: UK
Posts: 2,560
i always used to like ettercap

Reply

Related posts from TheWhir.com
Title Type Date Posted
OpenSSL Users Should Upgrade Now to Fix Heartbleed Security Bug Web Hosting News 2014-04-09 08:20:55
Cybercriminals Using Cloud Infrastructure to Launch Attacks: Annual FireHost Report Web Hosting News 2014-02-19 15:35:29
Yahoo Mail Usernames, Passwords Stolen in Third-Party Database Breach Web Hosting News 2014-01-31 12:27:37
Insecure Passwords at Hosting Provider Behind OpenSSL Website Defacement Web Hosting News 2014-01-03 15:29:53
Hackers Post 450,000 Yahoo! Voices User Login Credentials Online Web Hosting News 2012-07-12 10:38:07


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?