Dumb login question

[X51]

I have been reading (here and on the internet) about login security, and I have now formulated a dumb question to ask.

 

Not having a secure connection is there any way to NOT send plain text over the internet. In other words, when you have a login form plain text is entered. It is then passed to some type of encryption (hash, md5, sha1) BUT is the password always vulnerable between these two?

 

And just for the record I am asking this because McAfee Secure is giving me a rash of (insert your favorite word here) about my login form which encrypts using sha1.

[Psycho]

Correct. Unless you are using SSL (i.e. https) the data submitted by the user is transmitted in plain text. McAfee has no knowledge of what hashing (SHA is hashing not encryption) you are using on the server - so I don't know what it is reporting on.

 

You *could* use some javascript to obfuscate the input before it sends the data. But, to be honest, you then open yourself up to a whole host of potential errors and wouldn't be worth it IMHO.

[X51]

Thanks for the answer. Basically McAfee says passwords being sent over the internet in plain text leaving me open to a man in the middle attack when they do a scan. For now I have just removed the login since it isn't anything important to keep them happy.