Best IT Recipes

Plain text password via HTTPS

I am currently working on a PHP OpenID provider that will work via HTTPS (hence SSL is encrypted).
Is it wrong for me to pass the password in plain text? HTTPS in theory, cannot be intercepted, so I see nothing wrong. Or is it unsafe at some level, and I do not see it?

+50
password-protection
Jun 07 '09 at 16:08
source share
5 answers

It's safe. How the whole network works. All passwords in forms are always sent in plain text, so it can be saved up to HTTPS.

+72
Jun 07 '09 at 16:11
source

You still need to make sure that you send it via a POST request, not a GET. If you send it using a GET request, it can be saved as clear text in the user's browser history logs or in the web server access logs.

+42
Jun 07 '09 at 16:31
source

If HTTP is disabled and you use only HTTPS, then you still do not pass the password as plain text.

+17
Jun 07 '09 at 16:11
source

Other posters are true. Now that you use SSL to encrypt your password transfer , make sure that you hash it with a good algorithm and salt, so it is protected when it is at rest , too ...

+4
Jun 07 '09 at 16:36
source

The client client hash. What for? Let me tell you about a little experiment. Go to the computer in the dining room of the company. Open a browser on the login page of the company website (https). Press F12, open the Network tab, open the break log, reduce the console, but leave the web page open to enter the page. Sit down and have lunch. Watch employees after an employee logs in to the companyโ€™s website and, when ready, becomes a good little worker. Finish lunch, sit down at a computer, put a tab on the network and see each username and password in plain text in the form of bodys.

No special tools, no special knowledge, no fancy hacker hardware, no keyloggers, just plain old F12.

But hey, keep thinking that all you need is SSL. Bad guys will love you for that.

+3
Jul 21 '17 at 8:11
source


More articles:


All Articles