Submit Password Not In Clear Text

Question

I have this login webpage where I am using PrimeFaces to develop.

So when I entered my password and submit over the network, my firebug (Firefox extension) can actually capture my password in clear text. Which means to say that my password is transmitted over the network in clear text.

Correct me if I am wrong. So how to I not make password not transmit in clear when I click on the submit button?

Answer 1

By enabling HTTPS, which is TLS for HTTP, basically a newer version of SSL, the data you send is encrypted. This works by letting the server and client negotiate encryption methods and perform a key exchange, before any data is sent.

Additionally, you don't want to hash the password client-side, as that would mean you're basically storing the password in plaintext anyway. On the server, however, you likely want to both hash and salt the password, which means you first add a random salt to it, which can then be stored with the username and password, and then you hash the whole thing - hash(password + salt). The hashing is to ensure you don't store the password in cleartext on the server, and the salting is to ensure no one can see re-used passwords, and to fend off rainbow table attacks.

Answer 2

If your application's URL establishes SSL connection to the web server then any information including the password will be transmitted in encrypted text else plain text. If it is not SSL then you may try encrypting your password at the client side prior to sending it for authentication.