124

I'm currently working on a PHP OpenID provider that will work over HTTPS (hence SSL encrypted).
Is it wrong for me to transmit the password as plain text? HTTPS in theory, cannot be intercepted, so I don't see anything wrong. Or is this unsafe at some level and I'm failing to see this?

Improve this question

7 Answers 7

Reset to default
162

It is safe. That's how the entire web works. All passwords in forms are always sent in plain text, so its up to HTTPS to secure it.

Improve this answer
19
  • 28
    Minor nitpick: some login forms use JavaScript to hash the password instead of sending it plain text.
    – Thorarin
    Commented Jun 7, 2009 at 18:35
  • 5
    @Thorarin if they truly hash it, that means the server is storing the password in plain text so it can hash with the same salt to verify. Ick! Sending the password in ssl wrapped text is better, as the server does not then need to store the password in plain text.
    – DGM
    Commented Feb 14, 2010 at 20:59
  • 16
    @DGM: double hashing is also an option, so plain text passwords are not strictly necessary.
    – Thorarin
    Commented Feb 16, 2010 at 13:43
  • 3
    @Denis: client side hashing doesn't really help much. It may make things a bit harder than plain text, but somebody who really wants to steal a password can do it with no problems. Only would safely work if you send at least a one-time token over a secure channel (ssl), in which case you might as well just send the password in SSL to start with.
    – Eduardo Scoz
    Commented Jul 6, 2011 at 13:57
  • 5
    I am just saying that Yahoo felt that client side hashing was secure enough until they could afford to move all the way to ssl. But hey, I am all for https :)
    – Denis
    Commented Jul 6, 2011 at 18:16
96

You still need to make sure you send it via POST request, not GET. If you send it via GET request, it could be saved in plaintext in the user's browser history logs or the webserver's access logs.

Improve this answer
2
  • 8
    Yes, I knew that, but it's still a good comment to leave behind for others that come looking here. :)
    – WhyNotHugo
    Commented Jun 21, 2014 at 8:24
  • or send it in a header
    – james
    Commented Feb 13, 2019 at 22:05
26

If HTTP is disabled, and you only use HTTPS, then you're not really transmitting the password as plain text anyway.

Improve this answer
1
  • 4
    However the server does have access to your plaintext password, they can store it as plaintext, log it incorrectly as plaintext etc. That is to say, your password doesn't stay on the client side, the server also sees exactly what it is.
    – xref
    Commented Mar 21, 2019 at 20:02
24

Hash client side. Why? Let me tell you about a little experiment. Walk up to computer in company cafeteria. Open browser to company web site login page (https). Press F12, click network tab, check off persist log, minimize console but leave web page open to login page. Sit down and eat lunch. Watch as employee after employee logs on to the company web site and being a good little worker logs out when done. Finish lunch, sit down at computer bring up network tab and see every single username and password in plain text in the form bodys.

No special tools, no special knowledge, no fancy hacking hardware, no keyloggers just good old F12.

But hey, keep thinking all you need is SSL. The bad guys will love you for it.

Improve this answer
10
  • 13
    Your cafeteria comment doesn't make any sense, no matter how much I re-read it. Why would people just walk up to a computer and type their credentials? What are you trying to prove? Also, hashing won't make this more insecure, in any way. It was a common thing to hash passwords and transmit them over plain-text HTTP when this question was written, in 2009.
    – WhyNotHugo
    Commented Jul 26, 2017 at 0:32
  • 8
    I upvoted both of these because, yes, the accepted answer is being read many years later. It would be good if @CodeDog would please point to some mitigation strategy. And yes, people will just walk up to random PCs, for example, in the local library, and enter their details!
    – JoeAC
    Commented Jul 26, 2017 at 5:17
  • 4
    I encrypt passwords client side with a public key, then post only the encrypted password in the form. It is an asymmetrical key so having the client side public key is useless for the attackers. Every log it generates a new key pair so replay attacks wont work either. The key even changes on failed log in attempts. The key pairs are generated server side when the users arrives at the log in screen. Only the public key is provided to the client side code.
    – CodeDog
    Commented Jul 29, 2017 at 6:11
  • 1
    I performed such an experiment myself loging into my bank account and must agree with @CodeDog - Request payload include my login and password both plaintext.
    – Artur Michajluk
    Commented Jan 15, 2018 at 15:10
  • 1
    @Ivan There is the possibility of the server providing a salt/key which the client has to use to hash the password. If that changes on every request, then even reading the hash will be useless for replay attacks. It is explained by CodeDog.
    – Lucas Manzke
    Commented Oct 21, 2021 at 12:12
7

Let’s make some notes to previous answers.

First, it’s probably not the best idea to use hash algorithms client side because if your password is salted on the server side, you won’t be able to compare hashes (at least not if you don’t store the client hash in the database in one of the hashing layers from the password, which is the same or worse). And you don’t want to implement the hashing algorithm used by the database on the client side, it would be silly.

Second, trading off cryptographic keys aren’t ideal either. The MITM could theoretically (considering he has a root cert installed on the client) change the cryptographic keys, and change with his own keys:

Example from an original connection (not considering TLS) from a theoretical server that exchanges keys:

Client request public keys > server holds the private keys, generate public keys to client > server sends public keys to client

Now, in a theoretical MITM atrack:

Client request public keys > MITM generates fake private keys > Server holds the private keys, generate public keys to client > MITM receives the public keys from the original server, now, we’re free to send our fake public keys to the client, and whenever a request comes from the client, we will decrypt the client data with the fake keys, change the payload (or read it) and encrypt with the original public keys > MITM sends fake public keys to client.

That’s the point of having trusted CA certificate in TLS, and that’s how you receive a message from the browser warning if the certificate isn’t valid.

In response to the OP: in my humble opinion you can’t do that, because sooner or later, someone will want to attack a user from your service and will try to break your protocol.

What you can do, however, is to implement 2FA to prevent people from ever trying to login with the same password. Beaware of replay attacks, though.

I’m not great with cryptography, please correct me if I’m wrong.

Improve this answer
2
  • 1
    Keep in mind that this discussion is from 2009. These were pretty much the best practices at the time.
    – WhyNotHugo
    Commented Aug 26, 2018 at 18:59
  • 4
    @WhyNotHugo I’m aware. I decided to leave an answer because the top google answer to this question led me here, so why not.
    – Lucca Ferri
    Commented Aug 26, 2018 at 19:30
6

The other posters are correct. Now that you're using SSL to encrypt the transmission of the password, make sure you're hashing it with a good algorithm and salt so it's protected when it's at rest, too...

Improve this answer
1
  • Yes, I realize this, thanks, I was merely referring to the transmission here.
    – WhyNotHugo
    Commented Jun 7, 2009 at 16:43
6

@CodeDog example has issues..

Yes, I can believe that users will log into a caffeteria box. If you are capturing logs from a corporate caffeteria, then you are the security breach. Corporate caffeterias boxes should be setup disabled, e.g. no terms, no loggers, no remote access, etc. In order to prevent you, the inside hacker.

The example is a good one of computer access security, and not really related to network security. It is provided as justification for client side hashing, but if you have computer access you could just use a keystroke logger and bypass that. The client side hash is again irrelevant. The example by @CodeDog is a computer access hack and requires techniques different from network layer hacks.

Also, a public computer hack is protected by crippling the system from threats, as mentioned above. e.g. use a chromebook for a public caffeteria computer. But that is bypassed by a physical hack. During off hours, go to the caffeteria and setup a secret camera to record keyboard presses by users. Then it doesnt matter if the caffeteria computer is crippled, OR what type of encryption is used.

physical layer -> computer layer -> client layer -> network layer -> server layer

For networking, doesnt matter if you hash on client side because the https/ssl layer will encrypt the plain passwd. So as others mention the client hashing is redundant if the TLS is secure.

Improve this answer
1
  • 3
    While you make good points, you are replying to an answer (which itself is not really relevant to the question asked) so isn't really appropriate for the Stackoverflow Q&A model.
    – Martin
    Commented Aug 24, 2020 at 20:40

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.