I am working on a project in which remote clients need to log in to a web server. I am not looking for examples in any particular language; just a general idea of security related issues.
Main question:
How to transfer user credentials to a web server for verification?
I represent your typical login. One field for the username, the other is the password. You enter both and click "Login." What will happen next?
I can present several scenarios:
- Credentials are sent to the server in plain text. The server side of the script creates a password hash and compares it with the stored hash for the user.
- Credentials are encrypted locally, and the result is sent to the server. Server decrypts credentials and continues to run at # 1
- Something I haven't thought about? I am new to this. Go easy on me!
Option # 1 amazes me as weak, because credentials are sent over the Internet in plain text.
I see option # 2 as not much better than option # 1. If someone intercepts encrypted credentials, can they not just send them to the server at another time, but still manage to log in?
Any understanding is understood.
edit: The “linked” sidebar offers this question , which mentions a client / server handshake with salt added to the password. Is this the right way?