Password Security

[Arunsak]

Hi,

I made it to Muang Thai recently for another short trip, this being my first trip with a laptop, Apple MacBook. I have been frustrated a little bit with wireless internet availability but that was to be expected I guess. I went to Old Siam and no available wireless. I went to visit an associate way out in Samutsakorn and my Airport picked up a lot of signals on the way, once I stopped the car and checked email using an open wireless point that came from somebody's house. No password authentication required

Now I am at a hotel and they said wireless internet available but for some reason my Mac would not get connected to them. I get full signal strength but it would not synch up, I have no idea why. Usually when I get a full signal, I am either prompted for a password or just gain access straight away.

So the hotel said no problem after I asked them if I can plug ethernet cable into my Mac, I just removed that cable from the PC they use in their little business center. Everything is fine now. But I wonder something. If I connect to my server using FTP to transfer some files, what is the likelihood that they will get the password? Is it simple for them to fetch all password data from anyone using ethernet cable that runs through their router? Or is that only recorded on the computer using the ethernet cable? I wanted to get some work done here and upload some pages to my site but I don't know if that's safe... Any feedback welcome. Thanks!

[astral]

Hotels often offer an unencrypted signal, but as soon as you go to your browser

you are directed to the hotel page and have to enter a userid and password.

These you get by paying money.........

[Arunsak]

Hi,

I know what you mean, when I am in USA there are a few coffee shops that offer free wireless but when you open a browser you get their homepage and a message "Drink our coffee etc etc". Starbucks charge for the service, you go to their homepage when opening a browser and you have to enter a username/pwd. I noticed at the airports they have the same thing, example in Japan I was allowed to pay for wireless internet on the spot when I opened a browser.

But this hotel is different. I opened a browser and just got a spinning circle that never ended. The guy came and tried to help me by giving me some IP numbers, and router number, but that did not help. He said "Mac mai khao jai"

Anyway, now that I am using their ethernet for free I wonder if they can get my password.

[astral]

Anyway, now that I am using their ethernet for free I wonder if they can get my password.

In a word YES.

Anyone using a packet sniffer can see what you are sending by wireless.

[Crossy]

Anyway, now that I am using their ethernet for free I wonder if they can get my password.

The answer is 'probably' but only if they're actually sniffing for it and know you're using FTP (which has un-encrypted passwords). They'll need a computer set up as a network sniffer and the knowledge on how to interpret the logged data. Personally I really wouldn't worry.

Web access to https sites will be fine

[Arunsak]

Hi Thanks Crossy. Interesting to know that the hotel would need a special machine to log network data, AND they would need to know in advance that I am going to use FTP. I use a separate FTP client by the way, not the browser for FTP.

Regarding the other post, Astral, I am now not using wireless connection. It is ethernet which I assume is running straight into a hub which has ethernet port. But I have heard about packet sniffers which deliver text file of traffic, sounds interesting actually. My son is a computer enthusiast and only 9 years old. Might be kind of fun to set him loose back home with a sniffer and see what kind of things he can find the neighbors emailing about

[autonomous_unit]

The worry in many cases isn't the owner of the network but the knowledgeable and nasty guy who "owns" the malware that is likely running on many hosts in your typical commercial network. Unless the real admins have a lot of security-conscious monitoring going on, the establishment will not realize how infected their LAN has become.

It used to be typical in US academic spaces that the first thing that got installed by an attacker was a LAN sniffer to automatically capture telnet, ftp, and rlogin passwords (the prevalent traffic among the Unix machines). The attacker wasn't necessarily all that skilled but just knew the recipe to install these tools. This is where "rootkits" had their genesis...

Personally, I wouldn't trust anything outside my laptop as a general rule. Run a local firewall in software, and use secure protocols. I'll make an exception when I've personally configured a LAN or cross-over cable, but even then I feel dirty. It's the only way to stay secure, sort of like habitually using seat-belts helps make sure you're wearing it that one time you really need it. I wouldn't use ftp with passwords over the internet anywhere, unless I'd set it up with secure one-time passwords. But for all that trouble, it would be easier to set up SSH/SCP/SFTP and be done with it.

[nikster]

use SFTP instead of FTP, that has encrypted passwords. Most ftp clients and servers can do it...

on the other hand, it's unlikely anyone is sniffing your ftp pass, even if its transferred unencrypted.

[think_too_mut]

Anyway, now that I am using their ethernet for free I wonder if they can get my password.

In a word YES.

Anyone using a packet sniffer can see what you are sending by wireless.

Not true. If you are using RSA encryption, nobody on the planet can get you. Quite commonly used among corporate people.