Comment on Passwords sent as plaintext?
clb92@kbin.social 1 year ago
The server needs to receive your password to verify it and log you it. That's how it always is. As long as you are connecting via HTTPS, this is not a problem.
Please forgive me as I haven’t coded anything in 15ish years but even when making shitty PHP message boards back in the day we would always hash and salt passwords. The server would never see a plain text version of your password.
HTTPS is nice but that doesn’t guarantee what the server is doing with my plain text password.
The server would never see a plain text version of your password.
As you realized in your edit already, this part is not correct. The server would always receive your password plaintext (when signing up and when logging in), but only store it hashed and salted.
iamak@infosec.pub 1 year ago
Why not hash it client side?