| ▲ | butvacuum 7 hours ago |
| Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication. It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections. |
|
| ▲ | gruez 6 hours ago | parent [-] |
| >Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication. Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy. |
| |
| ▲ | butvacuum 4 hours ago | parent | next [-] | | yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash. | |
| ▲ | lazide 6 hours ago | parent | prev [-] | | Not necessarily, the server can say it only supports basic auth and…. | | |
| ▲ | gruez 4 hours ago | parent [-] | | I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords. | | |
| ▲ | lazide 4 hours ago | parent [-] | | Outlook appears to be | | |
| ▲ | p_ing 4 hours ago | parent [-] | | The 'https://' disagrees with your 'sending clear text passwords' statement. | | |
| ▲ | lazide 15 minutes ago | parent [-] | | It’s clear text to the receiving server, which is what we’re talking about, not one way hashed. |
|
|
|
|
|
