What is clear text? Basically it is sending information between machines (many times over the internet) with out using encryption. Why is this still a bad idea?
Here is a sample packet capture from a test site I used that does not require encryption for a login for demonstration purposes. Here is the URL as shown in Chrome. It does not have the padlock and is running unsecured over port 80.
Here is the actual test login form. This form alone does not mean the login is unsecured, however in this case it is.
I did attempt to login with a bogus username and password. I recorded a packet capture when I did. As you can see below unencrypted logins are not secure. Pay special attention to:
As you can see my username and password is viewable by a simple packet capture. The one thing to note is that NotMyPassWord%3F is actually NotMyPassWord?
You might wonder why ‘%3F’ is translated to ‘?’. This is because characters like ‘?’ need to be translated to HEX before transmitting to the server.
To see a full ASCII to HEX table; http://www.asciitable.com/
Great! So now you can see how easy it is to capture a packet and see usernames and passwords sent in clear text. So now you might wonder, how hard is this to do? I’ll tell you, it is very simple. While the chances of someone intercepting might be low because someone actually has to be looking, if they are looking they have captured your password easily. The most common way to do this is through a man in the middle attack where a ‘hacker’ tricks you into sending the data to them, then they route it to the intended machine, capture your password and never know the difference. The less common way but still highly effective is to just be in the path of the communication. Given you don’t know who owns the routers and communication channels between yourself and the server you are trying to login to the communication cannot be considered safe.
If that seems to far fetched to you consider this, your ISP can see the contents of ALL Clear Text transmissions if they wanted to.