This topic is locked

How to send password securely over HTTP?

10/14/2018 9:55:41 AM
PHPRunner General questions
D
ding author

On using PHPRunner 9.8, when user submits a form with his username and password on the login screen, the password will be sent in plain text (even with POST).

My question is what is the right way to protect the user and his password against the third party who might be eavesdropping on the communication data?

Example: encryption in JavaScript and decryption with PHP

HJB 10/14/2018

... you need to install a security certificate, say, to finally own HTTPS instead of only HTTP ...

admin 10/15/2018

Needs to be HTTPS.

D
ding author 10/15/2018

many thanks for your prompt reply. The problem for me is that i can not use HTTPS. So i want to konw how to protect the user and his password under the HTTP,instead of the HTTPS system.

sincerely waiting for your reply.

HJB 10/15/2018

... a kind of workaround could be to instruct the user (if safety of login credentials over HTTP really matters to the user) to run the CHANGE PASSWORD button every time after having been logging out and to keep the NEW one for the next new login, repeating the CHANGE PASSWORD feature over and over again ..., HOWEVER, this is mostly regarded to be very uncomfortable in the user's eyes, however, due to web technical laws, comparably speaking, you cannot mount wings unto a turtle to get it to be able to fly.

admin 10/15/2018

You cannot really do that if you use HTTP. Encryption in Javascript won't work. What is encrypted in Javascript can be decrypted in Javascript as well, very easily.
You can sort of get away generating one time use passwords, sending them via email or SMS to the end user when they start their logon process. This going to be a huge pain in the neck for both you and your users. Use HTTPS.

HJB 10/15/2018

Biggest problem is TWILIO, say, they only start listening as off 1m users which is far out of reach, making it more than difficult for small scale ones or start-ups at all. We here in Germany have a solution provider for small scale VoIP based SMS based two-token authentication requiring users via PHPRunner and contacted them fews days ago, in the aim to show them the market, but much to our surprise, they remained silent, most probably due to the fact that they are totally unaware of the worldwide market demand anyway, so, the problem is not really that NO affordable solutions outside TWILIO or else would be around, but "Poverty starts in the head" in regard to some competitors anyway.