this post was submitted on 18 Jul 2023
10 points (81.2% liked)

Discussions related to Infosec.pub

1121 readers
1 users here now

founded 1 year ago
MODERATORS
jerry@infosec.pub
10
Passwords sent as plaintext? (infosec.pub)
submitted 1 year ago by iamak@infosec.pub to c/infosecpub@infosec.pub
23 comments fedilink hide all child comments
 

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments
[–] vedard@infosec.pub 4 points 1 year ago (6 children)

Passwords are always sent to the server, then it is hashed to check it against the value in the database. It's also possible to view your password by inspecting login requests from other websites. TLS is used to secure it while in transit.

Hashing is done as an extra measure of security in case the database is compromised. This measure of security would have been completely void if the server would accept password hash directly. You could log in as any user by using his compromised hash.

[–] iamak@infosec.pub 2 points 1 year ago* (last edited 1 year ago) (5 children)

this measure of security would have been completely void...

Why not hash it server side too? I'm asking because I'm curious

[–] vedard@infosec.pub 5 points 1 year ago (1 children)

Because it provides no advantage. TLS is used to secure any data sent to a server. If you don't trust the server with your password, then you should use a unique password for this website. In fact, you should always use a unique password.

https://www.cloudflare.com/en-ca/learning/ssl/transport-layer-security-tls/

[–] iamak@infosec.pub 2 points 1 year ago

Okay. I am pretty new to this stuff so I'll go and check out SSL/TLS. Thanks :)

load more comments (3 replies)
load more comments (3 replies)