Security On GET

M

Martin Cunningham

Hi. I've a form the has a password filed in it. How can I encrypt it so when
i use a get it doesn't show what the actual password is but in stead a
jumble of rubbish that can be sorted out in the next file?
Thanks.
 
R

rf

Martin Cunningham said:
Hi. I've a form the has a password filed in it. How can I encrypt it so when
i use a get it doesn't show what the actual password is but in stead a
jumble of rubbish that can be sorted out in the next file?
Thanks.
Click to expand...

You can't. You should be using method="post" and SSL.

Cheers
Ricard.
 
R

Rob McAninch

The client would have to encrypt the password before sending it,
the browser isn't going to do that automatically. So the client
would have to type the 'jumble of rubbish' instead of the
'password', but now the jumble is transmitted in the open - and
effectively _is_ the password.
You can't. You should be using method="post" and SSL.
Click to expand...

Yup. The whole transaction has to be encrypted, not just a piece
of it.
 
T

Toby A Inkster

The client would have to encrypt the password before sending it,
the browser isn't going to do that automatically. So the client
would have to type the 'jumble of rubbish' instead of the
'password', but now the jumble is transmitted in the open - and
effectively _is_ the password.
Click to expand...

Well, not neccessarily. The server would just need to send a unique
"salt" each time it asked for the password. The password and salt would be
concatenated together and then hashed. This hash could be used to log in,
but if intercepted would not be any use because it is unlikely that the
same salt would be sent next login.
 
R

Rob McAninch

Toby A Inkster
The client would have to encrypt the password before sending
it, [...] but now the jumble is transmitted in the open - and
effectively _is_ the password.
Click to expand...

Well, not neccessarily. The server would just need to send a
unique "salt" each time it asked for the password. The
password and salt would be concatenated together and then
hashed. This hash could be used to log in, but if intercepted
would not be any use because it is unlikely that the same salt
would be sent next login.
Click to expand...

Hm, I see how that would work. The client would still have to do
the hash correct? So it would take some extra software, and
couldn't be for general use (like SSL could be) as I understand
it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Insight on a coding project. 1
Scripts 3
Uhhhhh, What can I do next? 6
New here, Javascript password protect site not working on mobile 3
Registration Form 7
Script works fine on test server but not on production server 3
Axios 403 error when sending get request 3
Can't decide which language to get back into programming with 1

Members online

No members online now.
Total: 32 (members: 0, guests: 32)
Robots: 324

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top