Originally Posted by
northtoalaska
assuming you have your computer adequately protected against viruses and malware, etc. the thing you need to worry about is "man in the middle" attacks. do a google for an explanation.
to guard against this you should use an institution that uses a confirmation check each time you login. for example it asks you a "secret question" that you've answered when you setup your account. or, it shows you an image at each login and you recognize that image each time you login. a man in middle attack won't know the answer to the secret question, or, in the case of the image check won't know what to display.
Security theater nonsense. SSL is designed to guard against man in the middle attacks, and it does so cryptographically. "Secret" questions are just fancy names for additional passwords. The security images are semi-useful for people who ignore SSL certificate errors generated by their browser, but if you ignore a big red screen saying the website is doing something fishy, you're probably not paying attention to whether you had a photo of a baseball bat or a lawn chair at login.
Originally Posted by
NameCoin
It seems that FlyerTalk does not encrypt the login process either. Although the password hash is sent instead of the actual password, the function used is MD5 and there isn't any salting. This setup seems especially weak these days. I suppose an attacker could sniff the hash out of the open network and attempt some kind of dictionary attack against it, straight-out compromising the FT account and possibly others, if the password has been reused.
I'm pleasantly surprised that FlyerTalk submits a hash instead of a password. This is not a high security application.