Passwords sent as plaintext? - eviltoast

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

  • 0x7d0@infosec.pub
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    Passwords are always sent to the server, then it is hashed to check it against the value in the database. It’s also possible to view your password by inspecting login requests from other websites. TLS is used to secure it while in transit.

    Hashing is done as an extra measure of security in case the database is compromised. This measure of security would have been completely void if the server would accept password hash directly. You could log in as any user by using his compromised hash.

    • iamak@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      this measure of security would have been completely void…

      Why not hash it server side too? I’m asking because I’m curious

      • TheButtonJustSpins@infosec.pub
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        That doesn’t make any sense. If you hash it once on client and once on server, that means that your password, as far as the server knows, is the client-hashed password. Nothing has changed in terms of security. In fact, you could implement this yourself by hashing your password when creating it and when supplying it.

        • SWW13@lemmy.brief.guru
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          That’s actually a good thought though. It would prevent (clear text) password leaks from shitty / malicious websites. Having a standard for browsers to salt and hash password would have prevented a lot password leaks. On the other hand it could never be updated and we would most likely be stuck on md4 or something similarly broken.

        • iamak@infosec.pubOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Okay. I am pretty new to this stuff so I’ll go and check out SSL/TLS. Thanks :)