question about security with password sending

koen

Is every application that not uses https for logins, like a forum eg, vulnerable to sniffers? I mean do I send my password out in plain text? If that is the case any useraccount is easy to crack? And if that is the case why al this trouble to encrypt a password once it's on the server?
I'm most probably missing something, at least I hope. 🙂

vaaaska

md5 it. Even if it come out in plain text it won't be revealed.

When a user input their password it's converted via md5 and matched to the table where their password is stored md5'd already. So, it's pretty secure, simple and efficient - this is why people do it this way. It's no big deal...

However, cracking into an account is another subject. It all depends upon how the system was built.

koen

But the md5 is done on the server side, so the password is still send unencrypted to the server?

vaaaska

Yes, that's true. But what else can you do? Not much...

koen

Then why the hassle of encrypting it server side? Only people that have full access to the server will be able to read it?

I'm asking all this because I'm making a page protected. I'll password protect it. But now I don't see the need to encrypting it server side.

laserlight

Storing a hash of the original password (or encrypting it) serverside is used to protect users, in the event that the passwords are somehow accessed by a malicious user.

koen

Ok, thanks all for clarification.