Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Sending passwords or tokens over a network in cleartext, exposing them to interception via sniffing or man-in-the-middle attacks—e.g., HTTP or Telnet.
Unencrypted Credential Transmission Definition: Sending passwords or tokens over a network in cleartext, exposing them to interception via sniffing or man-in-the-middle attacks—e.g., HTTP or Telnet.
Unencrypted credential transmission is the practice of sending usernames, passwords, API keys, session tokens, or other authentication secrets across a network in cleartext, without encryption. Because the data is not protected in transit, anyone able to observe the network traffic can capture and reuse the credentials to gain unauthorized access.
This occurs whenever authentication rides over plaintext protocols or misconfigured connections, such as HTTP instead of HTTPS, Telnet instead of SSH, FTP instead of SFTP/FTPS, or SMTP/IMAP/POP3 without TLS. An attacker positioned on the network path, for example via packet sniffing on shared or public Wi-Fi, ARP spoofing, or a rogue access point, can read the credentials directly off the wire. Man-in-the-middle attacks can also strip or downgrade encryption to force credentials into the clear.
This matters because credentials are the keys to systems and data, and intercepting them lets attackers impersonate legitimate users, bypassing other defenses entirely. It is a long-standing, high-impact vulnerability called out in standards like the OWASP Top 10 (Cryptographic Failures) and PCI DSS, which mandates strong cryptography for credentials in transit. The fix is straightforward: enforce TLS everywhere, disable plaintext protocols, and use HSTS to prevent downgrade.
For example, an employee logs into an internal admin tool that is served over plain HTTP while connected to coffee-shop Wi-Fi. An attacker on the same network runs a packet capture and instantly sees the submitted username and password in cleartext. The attacker then logs into the admin tool as that user. Had the application enforced HTTPS with valid TLS, the captured traffic would have been encrypted and the credentials unreadable.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →