How to send password securely over HTTP?

security text http passwords encryption

Solution 1:

Using HTTP with SSL will make your life much easier and you can rest at ease very smart people (smarter than me at least!) have scrutinized this method of confidential communication for years.

Solution 2:

Secure authentication is a broad topic. In a nutshell, as @jeremy-powell mentioned, always favour sending credentials over HTTPS instead of HTTP. It will take away a lot of security related headaches.

TSL/SSL certificates are pretty cheap these days. In fact if you don't want to spend money at all there is a free letsencrypt.org - automated Certificate Authority.

You can go one step further and use caddyserver.com which calls letsencrypt in the background.

Now, once we got HTTPS out of the way...

You shouldn't send login and password via POST payload or GET parameters. Use an Authorization header (Basic access authentication scheme) instead, which is constructed as follows:

  • The username and password are combined into a string separated by a colon, e.g.: username:password
  • The resulting string is encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line.
  • The authorization method and a space i.e. "Basic " is then put before the encoded string.

source: Wikipedia: Authorization header

It might seem a bit complicated, but it is not. There are plenty good libraries out there that will provide this functionality for you out of the box.

There are a few good reasons you should use an Authorization header

  1. It is a standard
  2. It is simple (after you learn how to use them)
  3. It will allow you to login at the URL level, like this: https://user:[email protected]/login (Chrome, for example will automatically convert it into Authorization header)

IMPORTANT:

  • As pointed out by @zaph in his comment below, sending sensitive info as GET query is not good idea as it will most likely end up in server logs.
  • The Authorization header value is traditionally a base64-encoded username/password. Base64 is not encryption. The original value can be obtained by an on-path attacked using a simple base64-decode.

enter image description here

Related

Using this pointer causes strange deoptimization in hot loop
When to use Serializer's create() and ModelViewset's perform_create()
How to check if a Java 8 Stream is empty?
Force downmix to mono on Linux
Is SATA bandwith per Port or per Controller?
Windows Defender: Disable real time; keep scheduled and on demand scanning
Why does starting up while cold make a laptop run slowly until I restart it after it's warmed up?
how can NAS work if it is not connected to Internet?
why does Virtualbox use 15-20% CPU when VM is paused?
Why won't my mapped drive persist for elevated user after reboot?
Starting a linux process in the background
How to browse safely?