this post was submitted on 18 Jul 2023
10 points (81.2% liked)

Discussions related to Infosec.pub

1128 readers
1 users here now

founded 1 year ago
MODERATORS
 

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments
[–] clb92@kbin.social 15 points 1 year ago (12 children)

The server needs to receive your password to verify it and log you it. That's how it always is. As long as you are connecting via HTTPS, this is not a problem.

[–] clemdawg@lemmy.world 3 points 1 year ago* (last edited 1 year ago) (1 children)

Please forgive me as I haven’t coded anything in 15ish years but even when making shitty PHP message boards back in the day we would always hash and salt passwords. The server would never see a plain text version of your password.

HTTPS is nice but that doesn’t guarantee what the server is doing with my plain text password.

Edit: I just had the thought that when coding those message boards the PHP running on the server side would get a plain text password via POST, hash/salt it, then store that in a database to use for comparison later. So I guess the server did need it in plain text in that application. 🤷🏻‍♂️

[–] clb92@kbin.social 6 points 1 year ago

The server would never see a plain text version of your password.

As you realized in your edit already, this part is not correct. The server would always receive your password plaintext (when signing up and when logging in), but only store it hashed and salted.

load more comments (10 replies)