Passwords sent as plaintext? - eviltoast

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

  • Simran@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Not the original commenter but if someone is listening in on your connection it doesn’t really add any security. The hacker would be able to just send the hashed password instead of the plain text and would be able to login.

    The hashing algorithm would be public facing so its easily reversible anyway.

    • clb92@kbin.social
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      The first paragraph is correct, but your second paragraph is not. A cryptographic hash function is a lossy one-way function. Knowing exactly how something was hashed does not mean you can turn the hash back into the starting value again.

    • iamak@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Oh okay makes sense thanks!

      Why would the hash be reversible? SHA256 is public and it’s not reversible