X51 Posted October 26, 2010 Share Posted October 26, 2010 I have been reading (here and on the internet) about login security, and I have now formulated a dumb question to ask. Not having a secure connection is there any way to NOT send plain text over the internet. In other words, when you have a login form plain text is entered. It is then passed to some type of encryption (hash, md5, sha1) BUT is the password always vulnerable between these two? And just for the record I am asking this because McAfee Secure is giving me a rash of (insert your favorite word here) about my login form which encrypts using sha1. Quote Link to comment https://forums.phpfreaks.com/topic/216916-dumb-login-question/ Share on other sites More sharing options...
Psycho Posted October 26, 2010 Share Posted October 26, 2010 Correct. Unless you are using SSL (i.e. https) the data submitted by the user is transmitted in plain text. McAfee has no knowledge of what hashing (SHA is hashing not encryption) you are using on the server - so I don't know what it is reporting on. You *could* use some javascript to obfuscate the input before it sends the data. But, to be honest, you then open yourself up to a whole host of potential errors and wouldn't be worth it IMHO. Quote Link to comment https://forums.phpfreaks.com/topic/216916-dumb-login-question/#findComment-1126843 Share on other sites More sharing options...
X51 Posted October 26, 2010 Author Share Posted October 26, 2010 Thanks for the answer. Basically McAfee says passwords being sent over the internet in plain text leaving me open to a man in the middle attack when they do a scan. For now I have just removed the login since it isn't anything important to keep them happy. Quote Link to comment https://forums.phpfreaks.com/topic/216916-dumb-login-question/#findComment-1126845 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.