>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.

▲

butvacuum 4 hours ago | parent | next [-]

yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash.

▲

lazide 6 hours ago | parent | prev [-]

Not necessarily, the server can say it only supports basic auth and….

▲

gruez 4 hours ago | parent [-]

I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords.

▲

lazide 4 hours ago | parent [-]

Outlook appears to be

▲

p_ing 4 hours ago | parent [-]

The 'https://' disagrees with your 'sending clear text passwords' statement.

	▲	lazide 15 minutes ago \| parent [-]
		It’s clear text to the receiving server, which is what we’re talking about, not one way hashed.