Make sure your company is not a victim. Most e-mail clients and e-mail servers allow the plain text password option to be disabled. For instance, in Exchange/Outlook combinations, simply enabling "Encrypt data between Microsoft Outlook client and Microsoft Exchange Server" in Outlook 2003 or "Secured Protected Access (SPA)" in previous Outlook versions will disable plain text password use.
Another interesting issue my friend noticed was how many HTTPS-enabled Web sites did not implement SSL correctly -- users' log-in names and passwords were being sent in clear text. This included communications to remotely accessed security devices, portals, and firewalls.
The lesson here is never to trust the browser’s padlock icon when connecting to a new Web site or protected device. Sniff yourself and confirm. I did this last year and discovered my awesome anti-spam appliance’s SSL connection wasn’t working.
My friend noticed that if SNMP was detected, the default public and private community strings were used almost 100 percent of the time. She also found passwords to people’s TiVos, online poker games, and online chatting communities. What disturbed her was that often these personal passwords were identical to the user’s corporate passwords.
Many network administrators conduct password audits on their network, but those audits are often directed at cracking weak password hashes for log-in accounts. If you want to know your true state of security, sniff your remote traffic heading across the Internet or coming across the wire from roaming or home users. If you have to use services or protocols that use plain text passwords, use a VPN tunnel of some type between source and destination.
I counseled my friend to stop her password sniffing ways, as it could only lead to trouble. She said she had stopped a few months ago because she found the idea of how many plain text passwords were being passed around, especially by security professionals, just too stressful and disturbing. I agree with that sentiment: If you’re a security person, sniff your own traffic the next time you go out of town to make sure you aren’t leaking any credential information.