← Back to context

Comment by butvacuum

1 month ago

Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.

7 comments

butvacuum

Reply
gruez  1 month ago

>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.

  • butvacuum  1 month ago

    yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash.

  • lazide  1 month ago

    Not necessarily, the server can say it only supports basic auth and….

    • gruez  1 month ago

      I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords.

      3 replies →