There is this cool new protocol called Transport Layer Security. You might have heard about it; it has been kicking around in some form or another for over decade. HTTP even offers a mostly-secure method for authenticating (although it doesn't secure the channel) should the administrator care to take advantage of it.

If you choose to use unsecured systems, that is your fault. If you use the same password for secure and unsecure systems, that is your fault.

ssh

yep i have been using ssh for over a decade or so, so when a POP3 password which can be sniffed is the same as your ISP login password thats my fault ?

Not all Port 80 (http's standard port) passing of passwords is "plain-text" or equiv.
With apache, there are two common authentication systems available for stock distribution:
Basic and Digest. See the caveats for Basic and Digest.
If your server and client support Digest, then try sniffing that authentication over port 80 with ettercap and see how well it yeilds a password. (Of course, MD5 is crumbling, etc.)

As for port 110 (pop3's standard port)
Many pop3 clients now support "secure authentication" (name they give for something that is really "encrypted authentication") and "authentication over ssl." You could try to test these authentication systems running on client and servers.

Just because a more secure method is available for users does not mean they will use it. Just because a more secure method is available, does not mean the POP3/HTTP admins will use it.

I don't know why you are bothing with long passwords. You are the one who has performed that action. You cannot expect us to know why you do the things you do.

There are really 3 groups of people concercerned about passwords:
1) The User/owner of the password
2) The Company/owner of the resources that password helps unlock
3) [Potential] Identity thieves

If you are 1), then you must do your part after selecting a long password and make your authentication as secure as possible.

If you are 2), then WTF is your company doing allowing people to use plain-text authentication with their username? Move pop3 to imaps, and move http where username auth is required to https.

If you are 3), you probably dont want to admit it in a public forum.

Lastly a point:
If you decide to move to the "password as your password" could you please list the ssh servers you use by IP address? :-P

Point:
Longer passwords > shorter passwords
Encrypted channel > plain-text channel
good crypto > bad crypto
Server passwords stored as strong hash > Server passwords plain-text
Each item from the left column increases security while each item from the right decreases it, and a chain is only as strong as its weakest link.

Plain text sucks. Its that simple.. POP3 is NOT secure and your login (and email) is plaintxt (just like r*, telnet, ftp, others..) When your on an untrusted (or even "trusted") network. Use another method to read your mail(SSH, HTTPS). It might not be as easy as pop3, but its much much better. Not only for your password, but your emails as well.

Also use SSL with web browsing... or any transport layer security/crypto when possible on an untrusted network.
Be sure to look at your SSL certs closely, as ettercap can produce fake ones. Also be sure to force SSHv2 when parnoid. Man-in-the-middle is scary in any situation.
Your best bet is to use good strong passwords, avoid plain txt whenever possible or on any network other than your home LAN, and use an OS that can have a static gateway, forced arp. Windows will just accept a new gateway no matter what. (to my knowledge). (static gateway == no arp poisoning aka no ettercap)
Good luck.
-dyn

Sadly many ISP's force you to have the same password for your email as you do your 'login' (For member tools) and in my case, its the same as their shell server, and sadly they force sshv1 on it :( )
Sadly as well is that many ISP's don't offer secure pop3 login or pop3 over SSL.... its all about the crypto baby.. Look into ssh tunneling or ssl wraping for plaintxt protocol fixes, scp as a replacement for ftp, and of course ssh as a replacement for telnet, r* .....

You know, seeing ******** does make a newbie think their password is secure on the network. It is a false assumption of course, it only keeps folks from looking at the screen. They can still watch your fingers though.

I love the wall of sheep at defcon, for those who check their mail (or upload their taxes) while at the con. It sure is educational.

If you want more security, tunnel your pop3 auth through an ssh connection to the ISP's shell server, or look to enable encryption options for your mail client, or migrate to imaps.

Also, consider risk. Who will be sniffing your password from your computer to your ISP?
1) Phone Company People
2) Employees at your ISP
3) People part of your home network
4) People taping your line

If phone company people are out to get you, you should be worried about more than password theft.
If the ISP employees are out to get you, why are you paying them money?
If 3), then why do you let them be a part of your network?
If 4), are they feds? Did they hear about you gathering passwords?

The world is a bad bad bad place. We're all out to get you. The best thing you can do is use cryptography whenever possible. Don't forget your swap :P



Anytime i need a good laugh.. I read this:
""I have OpenBSD on my firewall and main work machine. Encrypted partitions too. GPG everything. My Windows 2000 game machine is locked tight and on a DMZ without IE being used. My monitor is wrapped in tinfoil, naturally, with a small cutout just large enough to have a 640x480 window viewable. I wrapped my mouse in tinfoil but that made it hard to use so I cut a hole in the bottom which allowed the light to hit the desk surface. Problem there was the desk was wrapped in tinfoil, too. So I made my own mousepad because I don't trust the ones made by The Man. It's made from a dead rabbit I found on the street. I flattened it out and dehydrated it. When I need a random number I pinch some fur and pull. however many strands of fur I get in that pull is the random number I use. Of course I need a new mousepad every few weeks as I never reuse the same tuft of fur twice. Never trust the PRNG in any OS, even OpenBSD. Theo is watching. Speaking of that, the other day I was installing OpenBSD 3.6 on a new machine and then I realized... CDs are a form of RFID tag. The unique bit patterns on them can be detected from space. So I wrap my CDs in tinfoil when not in use. Speaking of tinfoil, I find it best to buy the cheapest stuff from dollar stores. They don't usually use the UPC barcoding at those places. Just "$1.. $1.. $1..". Barcode readers don't use OpenBSD but I think Theo is trying to get in there. Speaking of barcodes, the other day I pulled a package of gum from my pocket and the person I was with said "Ohh... Spearmint!" I ran away. He obviously has a remote UPC scanner and knew that I had spearmint gum. He says the wrapper was in plain site but I think that's just an excuse."" -slashdot post on "how parnoid are you"

If you are wireless, add that layer of vulnerability too. Of course you can use an RSA server which changes your password every 30-60 seconds....

Not me! I overslept.

:-) Very nice

I'll bite.

Yes! I have a crummy ISP which, besides going down frequently, refuses to implement even the most rudimentary of security services. I'm not sure if this is still the case, but I used to be able to sniff the traffic of all my neighbors on the same segment. I don't trust a company like that, and neither should you. I use my ISP only for the pipe, and I let professionals take care of the rest.

Of course, I should note that you need to write your ISP and express your concerns. I was told six years ago that they were "currently implementing more secure solutions", but you may have better luck than myself.

What do you do for your mail (other that pgp/gpg)? forwarding? Different domain?

I avoid my ISP-provided mail like the plague (I found out you can actually disable password access to your account) and use a real service. Better reliability, better service, better functionality, and better security. I admit that I do pay for my service, but I would be just as happy with their free service.

You could just use GMail, now that I think about it, since at least the connection is secure. (I'm sure the rest is also secure, but I've never looked into it.)

Sounds like a good idea-- Your ISP sounds like they suck.

Though I don't use them, http://www.hushmail.com/ has been mentioned on the forums before too. [1-"hushmail..."],[2-"pop3 over ssl"],,[3-"email security"],

Another alternative is for this user to colocate their own server elsewhere and setup mail on that box-- can be expensive, but you aren't limited to the ISP "in town."