Discussions related to Infosec.pub

1121 readers

1 users here now

founded 1 year ago

MODERATORS

[email protected]

Passwords sent as plaintext? (infosec.pub)

submitted 1 year ago by [email protected] to c/[email protected]

23 comments fedilink hide all child comments

I tried logging in on browser and I had inspected the request. My password was sent in plaintext. Is this a infosec.pub issue or a Lemmy one?

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 1 year ago (2 children)

That doesn't make any sense. If you hash it once on client and once on server, that means that your password, as far as the server knows, is the client-hashed password. Nothing has changed in terms of security. In fact, you could implement this yourself by hashing your password when creating it and when supplying it.

[–] [email protected] 2 points 1 year ago

That's actually a good thought though. It would prevent (clear text) password leaks from shitty / malicious websites. Having a standard for browsers to salt and hash password would have prevented a lot password leaks. On the other hand it could never be updated and we would most likely be stuck on md4 or something similarly broken.

[–] [email protected] 2 points 1 year ago

Yeah now that you put it this way I realised my mistake. Thanks