The front end to backend traffic should be encrypted, hashing occurs on the backend. The backend should never have access to a variable with a plaintext password.

I'm going to have to stop replying because I don't have the time to run every individual through infosec 101.

[–] PastaGorgonzola 3 points 1 year ago (1 children)

I’m going to have to stop replying because I don’t have the time to run every individual through infosec 101.

Sorry, but you're missing the point here. You cannot do anything with a password without storing it in memory. That's not even infosec 101, that's computing 101. Every computation is toggling bits between 1 and 0 and guess where these bits are stored? That's right: in memory.

The backend should never have access to a variable with a plaintext password.

You know how the backend gets that password? In a plaintext variable. Because the server needs to decrypt the TLS data before doing any computations on it (and yes I know about homomorphic encryption, but no that wouldn't work here).

Yes, I agree it's terrible form to send out plain text passwords. And it would make me question their security practices as well. I agree that lots of people overreacted to your mistake, but this thread has proven that you're not yet as knowledgeable as you claim to be.

[–] Cabrio -1 points 1 year ago* (last edited 1 year ago)

You encrypt the datastream from the text input on the client side before storing it in a variable. It's not rocket science. I did this shit 20 years ago. Letting a plaintext password leave the user client is fucking stupid.

load more comments (19 replies)

load more comments (20 replies)