0

So, I was just playing with BurpSuite when I found something I didn't understand.

When using BurpSuite on banking websites, I see that after I supply the credentials, the form transmits an encrypted password.

Whereas when I look at some eCommerce websites, their login form don't send encrypted password, i.e the password can be seen in the BurpSuite in plain text.

Now, what i don't understand is, is it important to encrypt the password send by login forums of websites and if yes how badly it can affect?

r0gue
  • 3
  • 4
  • Ok, thanks for clearing up the forum/form question. What about the rest? Is the password encrypted or encoded (base64) or hashed? It's really common for things to be base64 encoded (and that's not a security measure). – schroeder Mar 20 '19 at 08:22
  • About the rest. The password is sent in plain text which I can see in BurpSuite. – r0gue Mar 20 '19 at 08:26
  • That's not what I meant. "the form transmits an encrypted password" - are you sure that it is encrypted or is it base64 encoded or is it hashed? – schroeder Mar 20 '19 at 08:28
  • whether it is hashed or base64 encoded or encrypted, that i haven't checked. I'm more focused about the difference where one sends plain text another encrypted.. – r0gue Mar 20 '19 at 08:50
  • It makes a huge difference. Encoding is just for convenience and not security. If your question is whether it is better to hash the password client side, then we have a famous question answering that. – schroeder Mar 20 '19 at 08:55
  • Here's the link: https://security.stackexchange.com/questions/8596/https-security-should-password-be-hashed-server-side-or-client-side . Is it what you are looking for? – schroeder Mar 20 '19 at 09:53
  • Thanks for the link. Actually no. I'll try to edit this ques more clearly. – r0gue Mar 20 '19 at 10:17

1 Answers1

1

It is still quite common that credentials are transmitted in plain text over a secure communication channel (HTTPS). In case the communication channel is not encrypted we are talking about an entire different problem.

The key here is that the communication channel is encrypted with strong cipher suits. When performing a man in the middle attack (e.g. sniffing the connection), a certificate error is displayed on the client's browser.

Is it important to encrypt the password send by login forums of websites and if yes how badly it can affect?

From my personal (attacker) perspective it doesn't really matter whether you transmit the plain text password or an encrypted or hashed version of the original password.

Plain text vs encrypted / hashed credentials

Once either one is obtained through a man in the middle attack, they can be replayed / re-used by an attacker.

However, one significant difference is that the server will never receive the plain text password when the second option in the diagram is used. Therefor it will not reside in memory.

In case TLS is stripped from a load balancer and requests are transmitted internally over HTTP this would be considered a better approach.

TLS offloading

As you can see, it depends on what you consider a threat and what you are defending against.

Please note that a TLS should not be considered the "holy grail" and that defense in depth should be applied when ever possible.

Jeroen
  • 5,851
  • 2
  • 19
  • 26
  • "From my personal (attacker) perspective it doesn't really matter whether you transmit the plain text password or an encrypted or hashed version of the original password" - but this has very important implications for how the remote end validates the password. A hashed password implies that the overall security is poorly thought out. Leaving that aside, since the encryption mechanism is delivered to the client via the same channel which a client sends back an encrypted password, it doesn't really add much to the security. – symcbean Mar 20 '19 at 13:10