Safest way to send username + password? [AJAX]

Get help using Construct 2

Post » Tue May 17, 2016 5:01 am

Lordshiva1948 wrote:Oh please give break


Perhaps give yourself a break if you haven't got the faintest idea what your commenting about.

SSL is https:// connections.
Who dares wins
B
50
S
10
G
10
Posts: 1,728
Reputation: 12,867

Post » Tue May 17, 2016 6:02 am

Lordshiva1948 wrote:gumshoe2029 like I said one cannot trust one another therefore forget your SSL or whatever


Lord Shiva,

Yes SSL (or specifically https) can be hacked, absolutely! One common way is the 'man in the middle attack' you can find details on it here:
https://en.wikipedia.org/wiki/Man-in-the-middle_attack

The idea to encrypt is not to protect from everyone, like a bee with a sting, it will not protect itself from a fox. But it is sufficient to deter most attempts, so attackers go elsewhere.

Peace, John
B
17
S
5
G
2
Posts: 14
Reputation: 2,042

Post » Tue May 17, 2016 6:13 am

lennaert Well you bumped a thread where I made comments about three years ago, and my stance has changed: as long as you have a decent SSL implementation, you should be OK - but you should still send password hashes and not actual passwords, so they're not even plaintext on the receiving endpoint. Anyways I don't consider myself a security expert so don't ask me.
Ashley ASHLEY SAID
B
206
S
27
G
13
Posts: 1,847
Reputation: 35,824

Post » Tue May 17, 2016 6:49 am

Lordshiva1948 wrote:lennaert Well you bumped a thread where I made comments about three years ago, and my stance has changed: as long as you have a decent SSL implementation, you should be OK - but you should still send password hashes and not actual passwords, so they're not even plaintext on the receiving endpoint. Anyways I don't consider myself a security expert so don't ask me.
Ashley ASHLEY SAID


If you had the slightest idea what the above meant... you likely would not have quoted.

Even ashley's stance on the hash for the endpoint is useless unless you consider your server as hacked/unsafe and I will point out his last comment as a good guide on the matter.

The end point is your server receiving the name and password. (Or your webhost)

Which performs the decryption of the SSL connection.
Who dares wins
B
50
S
10
G
10
Posts: 1,728
Reputation: 12,867

Post » Tue May 17, 2016 7:46 am

I give up you win but, if you get hacked you will know
B
206
S
27
G
13
Posts: 1,847
Reputation: 35,824

Post » Tue May 17, 2016 9:25 am

Lordshiva1948 wrote:I give up you win but, if you get hacked you will know


If someone hacks one of my servers they would still need to crack the encrypted stored passwords in my database 😁

It is far more likely someone installs some stupid browser addon which records keystrokes and then sends it over to some 3rd party which basically abused the users lack of security knowledge for browsers on their end.

I actually know a little about this 😆
Who dares wins
B
50
S
10
G
10
Posts: 1,728
Reputation: 12,867

Post » Tue May 17, 2016 9:37 am

Good for you at least you know that
B
206
S
27
G
13
Posts: 1,847
Reputation: 35,824

Post » Tue May 31, 2016 3:18 pm

lennaert wrote:
Lordshiva1948 wrote:I give up you win but, if you get hacked you will know


If someone hacks one of my servers they would still need to crack the encrypted stored passwords in my database 😁

It is far more likely someone installs some stupid browser addon which records keystrokes and then sends it over to some 3rd party which basically abused the users lack of security knowledge for browsers on their end.

I actually know a little about this 😆


Yea, I worked in the military cybersecurity world for a while... at least until I publicly supported Edward Snowden.

I am in the process of getting encrypted database passwords done. And still developing a draw a secret password system too... so much to do, and so little time.

How do you encrypt the passwords for your database? I assume you are using symmetric encryption. Where do you store the keys?
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
18
S
5
G
1
Posts: 1,144
Reputation: 4,066

Post » Tue May 31, 2016 3:57 pm

This plugin, I guess, should do the trick.
Since there are two keys – private (on server) and public (in C2), it's harder (I think it's impossible, correct me if I'm wrong) for a hacker to decrypt it. Even if they know the public key, they can only encrypt data and send it to the server, but cannot decrypt it.
Also, it's a good idea to encrypt the public key a bit (instead of plain-pasting it to C2, maybe split it into lots of pieces, then use these pieces together to compose it, change numbers to equations etc.).
“The best time to plant a tree is 20 years ago. The second best time is now.”
B
29
S
7
G
4
Posts: 364
Reputation: 4,444

Post » Tue May 31, 2016 5:15 pm

Nothing is Impossible there are people whom can do what no one has done it before and that is fact
B
206
S
27
G
13
Posts: 1,847
Reputation: 35,824

PreviousNext

Return to How do I....?

Who is online

Users browsing this forum: Artpunk, DemantDigitalArt, Magistross and 29 guests