Passwords and Cookies

  • Thread starter Thread starter Monkster
  • Start date Start date
M

Monkster

Hi,
I share a PC at work with other employees. I am running WIN2000 on a
Dell P4. I am curious to know if I log onto my Yahoo email account and
then log out if my password is stored ANYWHERE on mt PC. If so, how do
I go about deleting it. We are allowed to check our external email but
I wouldn't want others in my office viewing my private email account.

Thanks!
 
It should not be as long as you do not use any auto logon to any accounts. I would
also make it a habit anyway to clear cookies/temporary internet files when you are
done. Of course another malicious user may be able to install a keyboard logger on
the computer and view logon info and passwords that way. You have to be careful on
any computer that is not physically secured. --- Steve
 
It should not be as long as you do not use any auto logon to any
accounts. I would also make it a habit anyway to clear
cookies/temporary internet files when you are done. Of course another
malicious user may be able to install a keyboard logger on the
computer and view logon info and passwords that way. You have to be
careful on any computer that is not physically secured. --- Steve
Click to expand...

Actually, I would take it a step further - since the user is obviously on
a LAN, any malicious user with a NIC in promiscuous mode and a sniffer
can grab the packets... I haven't checked to see whether Yahoo uses SSL
for their login, but I would hope so. However, even if they do, I'd be
willing to bet the user has another account somewhere that they access
from work that uses the same password that isn't sent over a secure
connection.

just my paranoid 2 cents :)

--
/(bb|[^b]{2})/ that is the Question

ThePsyko
Public Enemy #7
http://prozac.iscool.net
 
Passwords are not sent over the wire in a Windows network. A challenge/response is
used with the password hash. Of course Windows 98 uses LM without the Directory
Services Client Installed and registry modified, though more than likely W2K is using
at least NTLMv2 which can be sniffed and cracked but not easily at best and will take
a program like LC3 which is not cheap and somebody with a lot of time on there hands
especially if there are more than a few hashes flying around and complex passwords
are used. A local sam would be much easier to crack, especially if the default
setting of storing lm hashes is enabled. Nothing wrong with being paranoid. I would
never enter my SS# or credit card number on a network other than my home one. ---
Steve


ThePsyko said:
It should not be as long as you do not use any auto logon to any
accounts. I would also make it a habit anyway to clear
cookies/temporary internet files when you are done. Of course another
malicious user may be able to install a keyboard logger on the
computer and view logon info and passwords that way. You have to be
careful on any computer that is not physically secured. --- Steve
Click to expand...

Actually, I would take it a step further - since the user is obviously on
a LAN, any malicious user with a NIC in promiscuous mode and a sniffer
can grab the packets... I haven't checked to see whether Yahoo uses SSL
for their login, but I would hope so. However, even if they do, I'd be
willing to bet the user has another account somewhere that they access
from work that uses the same password that isn't sent over a secure
connection.

just my paranoid 2 cents :)

--
/(bb|[^b]{2})/ that is the Question

ThePsyko
Public Enemy #7
http://prozac.iscool.net
Click to expand...
 
Passwords are not sent over the wire in a Windows network. A
challenge/response is used with the password hash. Of course Windows
98 uses LM without the Directory Services Client Installed and
registry modified, though more than likely W2K is using at least
NTLMv2 which can be sniffed and cracked but not easily at best and
will take a program like LC3 which is not cheap and somebody with a
lot of time on there hands especially if there are more than a few
hashes flying around and complex passwords are used.
Click to expand...

I'm sure if somebody is going to take the time and trouble to set their
NIC in promiscuous mode and sift through the packets looking for those
containing the hashes, I don't think the possibility of them also having
a copy of LC is all that farfetched - most NT/2k admins I know carry a
copy with them.

regardless, I was actually referring to the sniffing of http traffic :)

A local sam would
be much easier to crack, especially if the default setting of storing
lm hashes is enabled. Nothing wrong with being paranoid. I would never
enter my SS# or credit card number on a network other than my home
one. --- Steve


ThePsyko said:
It should not be as long as you do not use any auto logon to any
accounts. I would also make it a habit anyway to clear
cookies/temporary internet files when you are done. Of course
another malicious user may be able to install a keyboard logger on
the computer and view logon info and passwords that way. You have
to be careful on any computer that is not physically secured. ---
Steve
Click to expand...

Actually, I would take it a step further - since the user is
obviously on a LAN, any malicious user with a NIC in promiscuous mode
and a sniffer can grab the packets... I haven't checked to see
whether Yahoo uses SSL for their login, but I would hope so.
However, even if they do, I'd be willing to bet the user has another
account somewhere that they access from work that uses the same
password that isn't sent over a secure connection.

just my paranoid 2 cents :)

--
/(bb|[^b]{2})/ that is the Question

ThePsyko
Public Enemy #7
http://prozac.iscool.net
Click to expand...
Click to expand...



--
/(bb|[^b]{2})/ that is the Question

ThePsyko
Public Enemy #7
http://prozac.iscool.net
 
Back
Top