Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : How easy is it to sniff usernames/passwords on a website?

[Max Renn]

Hello,

Firstly, I am not a "hacker" or anything like that. I'm just being paranoid.

I have set up a seperate (online, web-based) business which will contain lots of reasonably important customer information (although no payment/credit card type information.)

The customers log into the site using typical username/password textboxes. The login does NOT use https.

The administrators also use the same login system when logging in.

How easy would it be for someone to sniff the administrator username & password?

If possible, I'd like to try it myself.

Any information appreciated.

Thanks,
Steve

[DennisCitus]

I am wondering too.

Not only how easy can you sniff such data, but WHO can sniff such data?

All routers and servers used to transit this data?

[pergesu]

It's not the easiest thing in the world. You have to be in between the client and the webserver for this. Meaning that the packets have to go through your machine (or one you have access to) en route to the server. But if you can get onto the route, then it's pretty simple if it's all being sent in clear-text. Somebody with a decent amount of knowledge could do it fairly easily.

Bottom line, if there's info that you want to protect, then you need to put in mechanisms to protect it. Hoping that people won't try to break your security is naive, because they will.

[pergesu]

Quote:

Originally posted by DennisCitus
I am wondering too.

Not only how easy can you sniff such data, but WHO can sniff such data?

All routers and servers used to transit this data?

Correct - if the packets come through you at any point, you can sniff the data.

[Slidey]

alternatively, if you're on the same hub/switch its possible too..

If the data is transferred in plaintext then its readable

[bitfuzzy]

The above has been well stated.

I would only like to add, if the information is sensitive, you're doing yourself, your business, and your client base a dis-service not enabling "https" as this would encrypt the data being passed

*NOTE* https don't not mean you're 100% safe, though you are compared to how data's currently being passed

Just my 2 cents

[wilcorp]

people, please...

SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.

Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.

It truly is a no brainer.

my 2 cents...

[bitfuzzy]

Quote:

Originally posted by wilcorp
people, please...

SSL CErts can cost as low as 30.00 a year for 128 bit Encryption.

Once you have it you can call login and contact forms and all data is encryped - which only adds to the consumer feeling at ease with your service.

It truly is a no brainer.

my 2 cents...

FREE even if you have the ability to sign your own

[wilcorp]

well anything FREE comes with a Signiture or some tracking code or some bullpoop like that, remember there are also different grades of the same Certificate.

A 30.00 Cert. is about the minimum I would use, I do put them on clients sites, but for my own projects i opt for a little more name brand and I do pay for it, but they come with the extra insurance to help recover with should something go wrong.

It is important to know that a free Cert will not come with much support and this can be frustrating should the set-up process run into a snag.

my take, just use a reseller of the recognized name brand Certs., they are always cheaper, then check with your Host, if you are your own host, great, but do some homework, because even if you go the FREE route, if your like me you time is generally not free.

my 2 cents...

[bitserve]

Like bitfuzzy said, self signed certificates are free and don't have any tracking code. The only expense might be the IP address and paying someone to implement it.

[bitfuzzy]

Nah, I didn't meen freely available

I ment if he/she had the ability, and mod_ssl installed he/she could literly create his/her own cert, and sign it.

The only draw back is that visitors would need to accept it via a informational popup.

It typically takes 2-3 min to setup, though the first couple of times tend to take longer heh

[Slidey]

gone off on a bit of a tangent here...

[eWebtricity]

Something else to note is to maintain good security on your site and server and follow good security policies and procedures. If someone gains access to your server (linux or windows) they can install free sniffer tools on your server or use the ones already there to capture all the userid/passwd's they want.

[thinkliberty]

If you want to test this out on your own home network and have a linux box. I suggest trying dsniff and ethereal (ethereal has a windows verison too)

Ethereal is a real eye opener on a switched network

[Slidey]

i always used to like ettercap