Password Secure?

Are my passwords secure if I connect using my laptop over wi-fi in a hotel?

--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

On Thu, 29 Jun 2006 18:48:50 -0400, RZ <(E-Mail Removed)> wrote in
<op.tbxizo0rg50g74@blue>:

>Are my passwords secure if I connect using my laptop over wi-fi in a hotel?

In a word, no. Most hotel Wi-Fi is wide open. WEP is easily cracked.
For any real security, you need a secure connection over the Internet to
the remote site; e.g., https connection. Or use a VPN service.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

RZ wrote:
> Are my passwords secure if I connect using my laptop over wi-fi in a
> hotel?

Depends. If you use HTTPS sites for email and banking you are pretty safe.
Email programs like Outlook Express or Outlook are not safe as they transmit
your password in the clear. Web based email app Yahoo Mail claims to be
secure but the site itself is not https. Makes me suspicious.

> Email programs like Outlook Express or Outlook are not safe as they
transmit
> your password in the clear.

It's possible to use secure POP and IMAP. Not all services support this.

If you're connecting to POP and IMAP on ports 110 or 143 then it's not
secure.

So no, it's not safe to use services with passwords unless you're SURE the
connection is using some form of encryption. Otherwise anyone else on link
can sniff your username and password out VERY, VERY easily.

I use a VPN back to the office. That way all my traffic is tunneled through
it and is encrypted. I still use secured services but using a VPN makes it
doubly secure.

-Bill Kearney

Bill Kearney wrote:

> It's possible to use secure POP and IMAP. Not all services support this.
>
> If you're connecting to POP and IMAP on ports 110 or 143 then it's not
> secure.

Not true. Most servers these days do TLS over the standard ports. My
mail/news program correctly negotiates TLS with any server that advertises
it. I don't know if OE would, these days.
>
> So no, it's not safe to use services with passwords unless you're SURE the
> connection is using some form of encryption. Otherwise anyone else on
> link can sniff your username and password out VERY, VERY easily.

That I'll agree with - it isn't a simple matter to verify that traffic on
the standard ports is using TLS.
--
derek

> > If you're connecting to POP and IMAP on ports 110 or 143 then it's not
> > secure.
>
> Not true. Most servers these days do TLS over the standard ports. My
> mail/news program correctly negotiates TLS with any server that advertises
> it. I don't know if OE would, these days.

Interesting to know, I didn't really give TLS over standard ports
consideration. This, however, assumes they'll be using a recent vintage of
mail server. I've no idea how many servers out there aren't recent enough,
or configured properly, to do TLS in this manner. So while it may well be
incorrect to assume use of plain ports as insecure, it's at least a rule of
thumb worth considering.

> > So no, it's not safe to use services with passwords unless you're SURE
the
> > connection is using some form of encryption. Otherwise anyone else on
> > link can sniff your username and password out VERY, VERY easily.
>
> That I'll agree with - it isn't a simple matter to verify that traffic on
> the standard ports is using TLS.

Indeed, it would be handy to have a way to easily verify the availability of
TLS on the server and actual USE by the client. Meanwhile I'll stick with
using secure port numbers as my primary guide.

-Bill Kearney

On Fri, 30 Jun 2006 08:25:17 -0300, Derek Broughton
<(E-Mail Removed)> wrote in <t9efn3-(E-Mail Removed)>:

>Bill Kearney wrote:
>
>> It's possible to use secure POP and IMAP. Not all services support this.
>>
>> If you're connecting to POP and IMAP on ports 110 or 143 then it's not
>> secure.
>
>Not true. Most servers these days do TLS over the standard ports. My
>mail/news program correctly negotiates TLS with any server that advertises
>it. I don't know if OE would, these days.
>>
>> So no, it's not safe to use services with passwords unless you're SURE the
>> connection is using some form of encryption. Otherwise anyone else on
>> link can sniff your username and password out VERY, VERY easily.
>
>That I'll agree with - it isn't a simple matter to verify that traffic on
>the standard ports is using TLS.

Depending on the email client, it may be possible to ensure that only
TLS connections will be made. Mozilla Thunderbird is one such client.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On Fri, 30 Jun 2006 07:55:35 -0400, "Bill Kearney"
<(E-Mail Removed)> wrote in
<(E-Mail Removed)> :

>> > If you're connecting to POP and IMAP on ports 110 or 143 then it's not
>> > secure.
>>
>> Not true. Most servers these days do TLS over the standard ports. My
>> mail/news program correctly negotiates TLS with any server that advertises
>> it. I don't know if OE would, these days.
>
>Interesting to know, I didn't really give TLS over standard ports
>consideration. This, however, assumes they'll be using a recent vintage of
>mail server. I've no idea how many servers out there aren't recent enough,
>or configured properly, to do TLS in this manner. So while it may well be
>incorrect to assume use of plain ports as insecure, it's at least a rule of
>thumb worth considering.
>
>> > So no, it's not safe to use services with passwords unless you're SURE
>the
>> > connection is using some form of encryption. Otherwise anyone else on
>> > link can sniff your username and password out VERY, VERY easily.
>>
>> That I'll agree with - it isn't a simple matter to verify that traffic on
>> the standard ports is using TLS.
>
>Indeed, it would be handy to have a way to easily verify the availability of
>TLS on the server and actual USE by the client. Meanwhile I'll stick with
>using secure port numbers as my primary guide.

Mozilla Thunderbird provides the following secure connection options:
* Never
* TLS, if available
* TLS
* SSL

By selecting TLS or SSL, you can ensure that all connections are secure.

Otherwise, I always configure it for TLS if available rather than Never.

Given that free Gmail (Google Mail) supports TLS, I strongly advise
people to never use any service that lacks support for TLS.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_How_To>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>