I have an IIS server that uses simple username / password authentication to secure a directory. the username and password are created in windows as local users. it does not use SSL or anything like that.
is there any way someone on the internet may get hold of my username and / or password ? i.e. if they get hold of the username, is there any way / method / tool that would enable them to brute-force their way into the password? if so, where can I find that tool so that I can do some self-tests for vulnerability?