How is submitting passwords in plain text vulnerable?

3SidedSquare · 03-31-2013, 11:48 PM

Alright, given the following restrictions, how would someone go about stealing a password from a user logging in?

Password is submitted as a GET request, ex:
GET somewebsite.com/u=Username&p=Password

The user is on a home network, with wifi disabled (no one else is on the network to MiM or sniff traffic)

The user does not have a virus/trojan/keylogger on his/her computer

If anyone cares, I'm not trying to hack anyone, I'm making a web server and want to know if I really need to go through the trouble of figuring out https

Thanks for your time.

w00t · 04-01-2013, 01:02 AM

They capture packets on any one of the 10ish servers the data gets routed through to reach the server.

If it's free, use HTTPS. If it isn't, don't bother, as self-signed certs are next to useless.

3SidedSquare · 04-01-2013, 01:27 AM

I'm making the server, so it just costs time, and it'll be self-signed anyway.

But it's important that it is secure...

w00t · 04-01-2013, 01:50 AM

How secure? If an attacker can MITM an ISP, they can also fake a self-signed certificate.

i0xIllusi0n · 04-01-2013, 02:59 AM

Even though this is almost just as insecure as using GET, use POST. At least it would stop people from simply seeing the password in the URL.

Sabu · 04-01-2013, 01:42 PM

First of all you should know and use HTTPS no matter what.

If you send an username and password to the server in clear text it can be seen by anyone in your route to the server performing a man in the middle attack.

(04-01-2013, 02:59 AM)i0xIllusi0n Wrote: Even though this is almost just as insecure as using GET, use POST. At least it would stop people from simply seeing the password in the URL.

This is still nowhere safe, contents of the POST body will still be visible in clear text if sent through just HTTP. You would have to use HTTPS to prevent that.

If you absolutely don't want to use HTTPS then implement some sort of clientside Javascript password hashing algorithm (i.e md5) into your login form so they won't be sent in clear text.

amus3d · 04-02-2013, 11:55 PM

you may as well just put your plain passes on a plate and give it to sabu over here and he'll get busted by the feds and ur data is then safe.

i0xIllusi0n · 04-03-2013, 01:16 AM

(04-01-2013, 01:42 PM)Sabu Wrote: First of all you should know and use HTTPS no matter what.

If you send an username and password to the server in clear text it can be seen by anyone in your route to the server performing a man in the middle attack.

(04-01-2013, 02:59 AM)i0xIllusi0n Wrote: Even though this is almost just as insecure as using GET, use POST. At least it would stop people from simply seeing the password in the URL.
This is still nowhere safe, contents of the POST body will still be visible in clear text if sent through just HTTP. You would have to use HTTPS to prevent that.

If you absolutely don't want to use HTTPS then implement some sort of clientside Javascript password hashing algorithm (i.e md5) into your login form so they won't be sent in clear text.

No shit sherlock, I clearly said "Even though this is almost just as insecure". Everybody knows that doesn't fix anything.

Learn to comprehend what I said.