Are you publishing your email password without knowing!

Depending on the settings of your email program you could be telling the world your email password every time you check your email!

Sadly the default setting of many email clients is not to use a secure connection. This means that when your computer checks with your email server to see if you have any mail, it will send your user name and your password to the server in what is known as ‘clear text’. This means that it is not hidden at all and that anyone with a computer between yours and your email provider could see both of these go past. How many people use the same password for their email as other accounts??? (surely you read my earlier post ‘Manage your passwords and keep them different‘ and you no longer do this!)

POP without SSL sends your password in the clear

Post Office Protocol (POP) is a common format for accessing your email from your computer with many common email clients and is offered by most ISPs. Unfortunately the default for many email settings is not to use Secure Sockets Layer (SSL) to encrypt the connection and so all the information is sent in the clear – which means it is not encrypted or hidden at all.

It is easy to download software that will capture the messages from your computer to your email server (a common one is called Wireshark and I have used it for my example below). Here is what it captured when I checked my email account without using encryption.

Without security enabled it is easy to see my password!

Password and userid in the clear

Above you can see all the information my computer sent to my email supplier – my real password and userid was in the circle (I blurred them – obviously). I could use this software to spy on anyone around me on the same network as I am, at home, in a cafe by wireless, in my office, at a hotel, etc. You get the idea – you never really know who is between you and the ISP who hosts your email (possibly on the other side of the world if you are away from home!)

Use SSL to protect your email password and user name

The example I will give is for Microsoft Windows Live 2011 but you will find the settings look very similar in many programs.

Using SSL to protect your POP email accountChoose your email account details, under advanced you will find settings for your account that control whether you use SSL to protect your details or not. In the example here you can see I have ticked ‘This server requires a secure connection (SSL)’ for both Outgoing and Incoming Mail – make sure you use both.

NOTE: The settings shown here are for my ISP and yours may provide different port numbers to use from the standard.

Server details for a POP3 email accountYour ISP may also give you a different server name for the ‘Servers’ tab. If this is the case simply replace the details that were provided for non SSL on the tab shown here (actual details for my ISP are obscured).

NOTE: These settings are for my ISP, contact your ISP or look at their on line help for email settings in order to get the correct details for your account.

Now if you look at the captured information from WireShark below you can not see my account details. All of the magic happens through the Secure Sockets Layer (SSL) program inside my email program and there is nothing available for someone to snoop on. My details are protected somewhere inside where it says TLSv1 belowMy account details are now protected by SSL

Password and user name are no longer visible

If your ISP does not support a secure way of getting your email then you should seriously consider whether you choose another supplier. Think about all of the times and places you check your email and ask how safe is safe enough. Remember most email programs check regularly and automatically for you whenever you are on line!

Make sure you don’t use your email password for any other accounts!

If you need help with common settings then let me know. Here’s to keeping your email account private and secure.

Brian
your ‘peoples geek’

This entry was posted in IT Admin and tagged , , . Bookmark the permalink.