Maybe I’m misunderstanding you, but backend servers will almost always have the user-submitted password in plaintext as a variable, accessible to the backend server and any upstream proxies.
It’s even how it’s done in Lemmy. The bcrypt verify accepts the plaintext password and the expected salted hash.
There are ways to have passwords transmitted completely encrypted, but it involves hitting the backend for a challenge, then using that challenge to encrypt the password client side before sending. It still gets decrypted on the backend tho before hash and store.
I haven’t looked into it but I was wondering about the logistics of setting up a federated honeypot for server side stream sniffing to build a plaintext email/password database.
Man, you sound like you’re just using random words you heard in class. Clearly you have no clue how user registration actually works, let alone backend development.
Maybe I’m misunderstanding you, but backend servers will almost always have the user-submitted password in plaintext as a variable, accessible to the backend server and any upstream proxies.
It’s even how it’s done in Lemmy. The bcrypt verify accepts the plaintext password and the expected salted hash.
There are ways to have passwords transmitted completely encrypted, but it involves hitting the backend for a challenge, then using that challenge to encrypt the password client side before sending. It still gets decrypted on the backend tho before hash and store.
Yeah, but SSL/TLS also solves that problem in a standardized way.
In either case, the backend will have the plaintext password regardless of how it’s transmitted.
Yes, which is why they’re vulnerable to mitm and local sniffer attacks.
Have you found a mitm attack on TLS?
This guy’s a fucking clown, I’m sure he’s like 15
I haven’t looked into it but I was wondering about the logistics of setting up a federated honeypot for server side stream sniffing to build a plaintext email/password database.
Man, you sound like you’re just using random words you heard in class. Clearly you have no clue how user registration actually works, let alone backend development.
Well it’s a good thing your opinion has no effect on reality.