Security Basics mailing list archives
Re: SMTP AUTH LOGIN question
From: David Varieur <davar () mwvcaa org>
Date: Wed, 29 Jan 2003 09:56:43 -0800
On Tue, 28 Jan 2003 15:56:55 -0500 Frank Barton <pauling () starwolf biz> wrote:
I have seen many places saying "Don't use PLAIN or LOGIN methods for SMTP AUTH, unless they are encrypted" Now my question is this: I've looked at the actual transfer of an SMTP session where the AUTH LOGIN was used, and the password wasn't sent in plain-text. Is it trivial to decrypt the username and password that is sent across the wire, or is there some other vulnerability? -- Frank Barton Starwolf.biz Systems Administrator
Hi Frank, The authentication data is Base64 encoded text. Yes, it is trivial to decode (man mmencode).
Current thread:
- SMTP AUTH LOGIN question Frank Barton (Jan 29)
- Re: SMTP AUTH LOGIN question David Varieur (Jan 29)