On (27/08/02 22:10), Jeremy didst pronounce: > Well, to do a test I fired up ethereal and captured a session of me logging into a new yahoo account. What kind of suprised me is the password looks encrypted. My first guess was it was just base 64 mime encoded but that turned out to be wrong. Does anyone have any idea on how they encrypt their passwords or have any tools that will try and crack the passwords. I remember trying that here using arpspoof and dsniff. It captured the URL that was being used. From what I remember, the password was MD5 encrypted, and it said so in the URL. But, that said, there's no need to decrypt the password. Just paste that URL into your browser and it'll bring you directly into the persons yahoo email account. > My other question is if the passwords are encrypted why do they offer a secure login option? How does that increase security, other than adding a brief ssl session. > I think I already covered this above -- because you don't need to know the password to log into their email account, you only need the URL that was sent. -- Chat ya later, John. -- BOFH excuse #157: Incorrect time syncronization
This archive was generated by hypermail 2b30 : Tue Aug 27 2002 - 20:51:21 PDT