Forums: How to send password securely over HTTP? - Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

How to send password securely over HTTP? Rate Topic: -----

#1 User is offline   dingdang 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 2
  • Joined: 07-October 18

Posted 14 October 2018 - 01:55 PM

On using PHPRunner 9.8, when user submits a form with his username and password on the login screen, the password will be sent in plain text (even with POST).
My question is what is the right way to protect the user and his password against the third party who might be eavesdropping on the communication data?
Example: encryption in Javascript and decryption with PHP
0

#2 User is offline   walk2fly 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 406
  • Joined: 09-February 10

Posted 14 October 2018 - 02:18 PM

... you need to install a security certificate, say, to finally own HTTPS instead of only HTTP ...
0

#3 User is offline   admin 

  • Administrator
  • PipPipPip
  • Group: Admin
  • Posts: 16046
  • Joined: 03-February 03

Posted 15 October 2018 - 12:54 PM

Needs to be HTTPS.
Best regards,
Sergey Kornilov
0

#4 User is offline   dingdang 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 2
  • Joined: 07-October 18

Posted 15 October 2018 - 02:46 PM

many thanks for your prompt reply. The problem for me is that i can not use HTTPS. So i want to konw how to protect the user and his password under the HTTP,instead of the HTTPS system.
sincerely waiting for your reply.
0

#5 User is offline   walk2fly 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 406
  • Joined: 09-February 10

Posted 15 October 2018 - 04:05 PM

... a kind of workaround could be to instruct the user (if safety of login credentials over HTTP really matters to the user) to run the CHANGE PASSWORD button every time after having been logging out and to keep the NEW one for the next new login, repeating the CHANGE PASSWORD feature over and over again ..., HOWEVER, this is mostly regarded to be very uncomfortable in the user's eyes, however, due to web technical laws, comparably speaking, you cannot mount wings unto a turtle to get it to be able to fly.
0

#6 User is offline   admin 

  • Administrator
  • PipPipPip
  • Group: Admin
  • Posts: 16046
  • Joined: 03-February 03

Posted 15 October 2018 - 10:19 PM

You cannot really do that if you use HTTP. Encryption in Javascript won't work. What is encrypted in Javascript can be decrypted in Javascript as well, very easily.

You can sort of get away generating one time use passwords, sending them via email or SMS to the end user when they start their logon process. This going to be a huge pain in the neck for both you and your users. Use HTTPS.
Best regards,
Sergey Kornilov
0

#7 User is offline   walk2fly 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 406
  • Joined: 09-February 10

Posted 15 October 2018 - 10:35 PM

Biggest problem is TWILIO, say, they only start listening as off 1m users which is far out of reach, making it more than difficult for small scale ones or start-ups at all. We here in Germany have a solution provider for small scale VoIP based SMS based two-token authentication requiring users via PHPRunner and contacted them fews days ago, in the aim to show them the market, but much to our surprise, they remained silent, most probably due to the fact that they are totally unaware of the worldwide market demand anyway, so, the problem is not really that NO affordable solutions outside TWILIO or else would be around, but "Poverty starts in the head" in regard to some competitors anyway.
0

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic