Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.



yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash.


Not necessarily, the server can say it only supports basic auth and….


I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords.


Outlook appears to be


The 'https://' disagrees with your 'sending clear text passwords' statement.


It’s clear text to the receiving server, which is what we’re talking about, not one way hashed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: