[vox-tech] Email Password Security

Jeff Newmiller vox-tech@lists.lugod.org
Tue, 25 Nov 2003 07:40:20 -0800 (PST) 

On Tue, 25 Nov 2003, Robert G. Scofield wrote:

> I've been having unbelievably horrible security problems on both my family's 
> computer (Win98SE) and the Windows partition of this dual boot system.  Two 
> weeks ago someone was stealing my email from my ISP's server.

Then they know your email password... which may be the same as your dialin
password.

>  I then got 
> Norton Personal Firewall for both computers, and for the last three days the 
> dial up connection kept repeatedly starting on my computer  both when the 
> computer booted up and when it shutdown.  In fact I couldn't even shut it 
> down, all I could do is reboot into Linux and then shutdown.  Also 
> interesting is that Norton Firewall was knocked out.

Norton can be aggressive about staying in contact with its update
site(s)... that could be the connection thing.

>  (And I wonder if the 
> hacker or worm got in through Linux because I wasn't online in Windows very 
> much.  The Windows partition automatically mounts when Linux boots.)

Possible.  Depends what services you were running, and how often you
update them to maintain security.

> I've reformatted both computers in the last week.   On both computers I have 
> disabled the automatic use of passwords to both log onto the ISP, and then to 
> get email.  So now you have to type the password in at least twice to get 
> email.  This is inconvenient, and so my question is, am I being too paranoid?  
> Is it really necessary to disable the feature that retains the password?

If you haven't changed the password at the ISP end, you haven't
accomplished anything.  If you have, make sure you don't use that password
for anything else. In particular, use a different password to log into
Linux or Windows.

Investigate secure email download options with your ISP... POP3 sends the
password in the clear, so if they have compromised a machine between you
and your mail server they can sniff it off the network.  Most people don't
have these problems... so the POP password is not usually a critical one.

As to whether it is a good idea to disable the feature that retains the
password... I use different passwords for different things.  This prevents
discovery of one password (such as the POP password) from affecting any
other security.  Thus, I don't feel too bad about having my email passowrd
stored under the security of another password (say, my Linux login
password) in order to automate my email downloads.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------