+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: How is submitting passwords in plain text vulnerable? (/Thread-How-is-submitting-passwords-in-plain-text-vulnerable)
How is submitting passwords in plain text vulnerable? - 3SidedSquare - 03-31-2013
Alright, given the following restrictions, how would someone go about stealing a password from a user logging in?
Password is submitted as a GET request, ex:
GET somewebsite.com/u=Username&p=Password
The user is on a home network, with wifi disabled (no one else is on the network to MiM or sniff traffic)
The user does not have a virus/trojan/keylogger on his/her computer
If anyone cares, I'm not trying to hack anyone, I'm making a web server and want to know if I really need to go through the trouble of figuring out https
Thanks for your time.
RE: How is submitting passwords in plain text vulnerable? - w00t - 04-01-2013
They capture packets on any one of the 10ish servers the data gets routed through to reach the server.
If it's free, use HTTPS. If it isn't, don't bother, as self-signed certs are next to useless.
RE: How is submitting passwords in plain text vulnerable? - 3SidedSquare - 04-01-2013
I'm making the server, so it just costs time, and it'll be self-signed anyway.
But it's important that it is secure...
RE: How is submitting passwords in plain text vulnerable? - w00t - 04-01-2013
How secure? If an attacker can MITM an ISP, they can also fake a self-signed certificate.
RE: How is submitting passwords in plain text vulnerable? - i0xIllusi0n - 04-01-2013
Even though this is almost just as insecure as using GET, use POST. At least it would stop people from simply seeing the password in the URL.
RE: How is submitting passwords in plain text vulnerable? - Sabu - 04-01-2013
First of all you should know and use HTTPS no matter what.
If you send an username and password to the server in clear text it can be seen by anyone in your route to the server performing a man in the middle attack.
(04-01-2013, 02:59 AM)i0xIllusi0n Wrote: Even though this is almost just as insecure as using GET, use POST. At least it would stop people from simply seeing the password in the URL.This is still nowhere safe, contents of the POST body will still be visible in clear text if sent through just HTTP. You would have to use HTTPS to prevent that.
If you absolutely don't want to use HTTPS then implement some sort of clientside Javascript password hashing algorithm (i.e md5) into your login form so they won't be sent in clear text.
RE: How is submitting passwords in plain text vulnerable? - amus3d - 04-02-2013
you may as well just put your plain passes on a plate and give it to sabu over here and he'll get busted by the feds and ur data is then safe.
RE: How is submitting passwords in plain text vulnerable? - i0xIllusi0n - 04-03-2013
(04-01-2013, 01:42 PM)Sabu Wrote: First of all you should know and use HTTPS no matter what.
If you send an username and password to the server in clear text it can be seen by anyone in your route to the server performing a man in the middle attack.
(04-01-2013, 02:59 AM)i0xIllusi0n Wrote: Even though this is almost just as insecure as using GET, use POST. At least it would stop people from simply seeing the password in the URL.This is still nowhere safe, contents of the POST body will still be visible in clear text if sent through just HTTP. You would have to use HTTPS to prevent that.
If you absolutely don't want to use HTTPS then implement some sort of clientside Javascript password hashing algorithm (i.e md5) into your login form so they won't be sent in clear text.
No shit sherlock, I clearly said "Even though this is almost just as insecure". Everybody knows that doesn't fix anything.
Learn to comprehend what I said.