0

I made a login form that uses POST. The thing is I go in Chrome->Inspect element->Network->Headers->Form data and it shows the info that was entered in the form, which includes the password in plaintext. I did look upon other websites in the same manner and it shows it there, too. My question is, how secure is this thing? Basicly, anyone can see the passwords?

George Irimiciuc
  • 4,147
  • 3
  • 36
  • 75
  • Yes. Anyone can see the HTTP requests (including POST data/files/GET/headers/cookies) coming back and forth on a network line, unless you use HTTPS. – h2ooooooo Jun 11 '14 at 19:23
  • Is there any reason to not use HTTPS? Why doesn't everyone use it, every website? – George Irimiciuc Jun 11 '14 at 19:23
  • No, at best you can consider it "hidden" in that POST passes the data via the request body instead of the url. `example.com/login.php?user=foo&password=bar` would show up in the server's access log, but on a post, all you'd get is `example.com/login.php`. – Marc B Jun 11 '14 at 19:24
  • @GeorgeIrimiciuc You have to use a valid certificate or you get a big nasty error. These valid certificates can be cheap, but they can also be very expensive (for those that work in nearly every browser, even super old ones). Apparently [StartSSL](https://www.startssl.com/) give out free personal certificates. – h2ooooooo Jun 11 '14 at 19:24
  • Is the data stored upon closing the web page or moving on? Or is it deleted? – George Irimiciuc Jun 11 '14 at 19:24
  • Once you've made the HTTP request the data has been sent and will not be resent, unless you, the user, decide to. – h2ooooooo Jun 11 '14 at 19:25
  • It depends on the developer and what they think they need to do with a password. – Jay Blanchard Jun 11 '14 at 19:25
  • No, what I mean. Is that information(the HTTP request info) stored somewhere? Or the only way to see the form data is to go to inspect element...etc.? – George Irimiciuc Jun 11 '14 at 19:26
  • The only way for others to see your password is a [Man-in-the-middle attack](http://en.wikipedia.org/wiki/Man-in-the-middle_attack). – bitWorking Jun 11 '14 at 19:29

0 Answers0