Basic password security question

Discussion in 'ASP .Net Security' started by Opa, Feb 23, 2007.

  1. Opa

    Opa Guest

    Hi all,
    I was asked today if setting textmode="password" of a textbox control
    was secure over http. I assumed that the browser does encryption before
    sending it over the wire. Why aren't most login screen forms sent over https?
    Is my assumption about the browser providing encryption on special input
    fields true? Can anyone explain?

    Thanks,

    Opa
     
    Opa, Feb 23, 2007
    #1
    1. Advertising

  2. Opa

    Joe Kaplan Guest

    No. You should look at the wire traffic. That is just for the UI displayed
    by the browser.

    If you are doing a secure site where you will be collecting data like
    passwords and potentially using cookies for authentication, you must use
    SSL.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Opa" <> wrote in message
    news:...
    > Hi all,
    > I was asked today if setting textmode="password" of a textbox control
    > was secure over http. I assumed that the browser does encryption before
    > sending it over the wire. Why aren't most login screen forms sent over
    > https?
    > Is my assumption about the browser providing encryption on special input
    > fields true? Can anyone explain?
    >
    > Thanks,
    >
    > Opa
     
    Joe Kaplan, Feb 23, 2007
    #2
    1. Advertising

  3. Opa

    Opa Guest

    Hi Joe,

    I will be securing the rest of my site with ssl, however I'm referring only
    to my login page. A lot of sites , including my bank have a login page
    over http and once I am logged in, the remainder of the pages are over
    https. How do they secure the password in that case?


    "Joe Kaplan" wrote:

    > No. You should look at the wire traffic. That is just for the UI displayed
    > by the browser.
    >
    > If you are doing a secure site where you will be collecting data like
    > passwords and potentially using cookies for authentication, you must use
    > SSL.
    >
    > Joe K.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > --
    > "Opa" <> wrote in message
    > news:...
    > > Hi all,
    > > I was asked today if setting textmode="password" of a textbox control
    > > was secure over http. I assumed that the browser does encryption before
    > > sending it over the wire. Why aren't most login screen forms sent over
    > > https?
    > > Is my assumption about the browser providing encryption on special input
    > > fields true? Can anyone explain?
    > >
    > > Thanks,
    > >
    > > Opa

    >
    >
    >
     
    Opa, Feb 23, 2007
    #3
  4. Look at the pages - they (should) never post that form over HTTP - usually
    the login form posts to an HTTPS address....

    You need SSL - and if you have it for the rest of your site, why not for
    you login page too?


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Hi Joe,
    >
    > I will be securing the rest of my site with ssl, however I'm referring
    > only to my login page. A lot of sites , including my bank have a
    > login page over http and once I am logged in, the remainder of the
    > pages are over https. How do they secure the password in that case?
    >
    > "Joe Kaplan" wrote:
    >
    >> No. You should look at the wire traffic. That is just for the UI
    >> displayed by the browser.
    >>
    >> If you are doing a secure site where you will be collecting data like
    >> passwords and potentially using cookies for authentication, you must
    >> use SSL.
    >>
    >> Joe K.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> --
    >> "Opa" <> wrote in message
    >> news:...
    >>> Hi all,
    >>> I was asked today if setting textmode="password" of a textbox
    >>> control
    >>> was secure over http. I assumed that the browser does encryption
    >>> before
    >>> sending it over the wire. Why aren't most login screen forms sent
    >>> over
    >>> https?
    >>> Is my assumption about the browser providing encryption on special
    >>> input
    >>> fields true? Can anyone explain?
    >>> Thanks,
    >>>
    >>> Opa
    >>>
     
    Dominick Baier, Feb 23, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page