[butvacuum]

Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

It looks like Microsoft Edge had the _ability to disable_ this added in 2020 or 2021, but it isn't currently the default and the Group Policy unintuitively only applies to unencrypted HTTP Connections.

[gruez]

>Basically everything microsoft makes that touches http will send your username and your password to any server that asks for Basic Authentication.

Are you talking about NTLM hashes? It's a weak hash, but not the same as "sending your password". The biggest difference is that even a weak hash can't be reversed if the password has high enough entropy.

[butvacuum]

yes, I meant to type hash. Not that it matters as even 10yr old integrated GPUs are enough to brute force 8 or 9 character NTLM(or any variant) passwords in a few hours. Not that you need to with Pass The Hash.

[lazide]

Not necessarily, the server can say it only supports basic auth and….

[gruez]

I don't think there's any evidence that windows sends cleartext passwords. The whole reason why NTLM is a thing is to avoid sending cleartext passwords.

[lazide]

Outlook appears to be

[p_ing]

The 'https://' disagrees with your 'sending clear text passwords' statement.

[lazide]

It’s clear text to the receiving server, which is what we’re talking about, not one way hashed.