X51 Posted October 26, 2010 Share Posted October 26, 2010 I have been reading (here and on the internet) about login security, and I have now formulated a dumb question to ask. Not having a secure connection is there any way to NOT send plain text over the internet. In other words, when you have a login form plain text is entered. It is then passed to some type of encryption (hash, md5, sha1) BUT is the password always vulnerable between these two? And just for the record I am asking this because McAfee Secure is giving me a rash of (insert your favorite word here) about my login form which encrypts using sha1. Link to comment https://forums.phpfreaks.com/topic/216916-dumb-login-question/ Share on other sites More sharing options...
Psycho Posted October 26, 2010 Share Posted October 26, 2010 Correct. Unless you are using SSL (i.e. https) the data submitted by the user is transmitted in plain text. McAfee has no knowledge of what hashing (SHA is hashing not encryption) you are using on the server - so I don't know what it is reporting on. You *could* use some javascript to obfuscate the input before it sends the data. But, to be honest, you then open yourself up to a whole host of potential errors and wouldn't be worth it IMHO. Link to comment https://forums.phpfreaks.com/topic/216916-dumb-login-question/#findComment-1126843 Share on other sites More sharing options...
X51 Posted October 26, 2010 Author Share Posted October 26, 2010 Thanks for the answer. Basically McAfee says passwords being sent over the internet in plain text leaving me open to a man in the middle attack when they do a scan. For now I have just removed the login since it isn't anything important to keep them happy. Link to comment https://forums.phpfreaks.com/topic/216916-dumb-login-question/#findComment-1126845 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.