How to hide password from Post request url and browser dump

Question

This might be an old question but i still didn't find proper answer for this question, so please be patient. I have a https login page,which is using a form post method and sending the credentials to the server...blah blah.

At the time of login, if you use IE and F12 for network monitoring, click start capturing. You can see some URL which has similar to login, servetloginauth(from gmail.com) and you can see the request body with your username and password. Okay, one can argue, that only if the user didn't logout you can see that.

Now logout and don't close the browser and get browser dump(any browser, any version) off of Task Manager(i'm not sure how to do the same in Mac). Use WinHex editor to open the dump file and do Search/Find: "password=" or the actual password(since u r testing your own login, you already knew your password). You can see the password in clear text.

Now my question is, How can i mask the password: 1. Either in the Post request URL 2. Or when the browser is saving my credentials to the dump, i neeed it to be masked/encrypted or should not save the password at all.

My code for jsp:

<s:form id="login" name="loginForm1" action="login" namespace="/" method="post" enctype="multipart/form-data" >  
      <fieldset><!-- login fieldset -->
        <div><!-- div inside login fieldset -->
                <div....
                  <label for="password" class="loginLabel">Password</label>
                  <input type="password" name="password" id="password" class="longField nofull absPosition" size="16" autocomplete="off" alt="Password" placeholder="Password" title="Password|<

Current solution i have as below, but i need any alternatives without much effort.

The password can be read from the memory if it is being sent as cleartext. Using the salted hash technique for password transmission will resolve this issue. Hashing is a cryptographic technique in which the actual value can never be recovered. In the salted hash technique, the passwords are stored as hashes in the database. The server generates a random string, salt, and sends it along with the Login page to the client. A JavaScript code on the page computes a hash of the entered password, concatenates the salt and computes a hash of the entire string. This value is sent to the server in the POST request.

The server then retrieves the user's hashed password from the database, concatenates the same salt and computes a hash. If the user had entered the correct password, these two hashes should match.

Now, the POST request will contain the salted hash value of the password and the cleartext password will not be present in the memory

SHA 256 is a strong hashing algorithm available today – readymade implementations in JavaScript are available and quoted in the "Good Reads" section.

Note: For pages containing sensitive information or pages wherein data can be modified in the database, use JavaScript to flush the memory of the browse

and the images are as below.

On an additional note, i can settle with something Citibank did for their customers on their website. I logged in the website and in the dump i see my username is masked(as it appears in the website), i need something which does the same to the password field too. can someone explain me how to do it please.

Answer 1

You have to device for how the passwords are stored in the database. There are multiple ways to do this, but there is no way you can create anything that is IMPOSSIBLE to hack/read.

However, you can limit MITM attacks by hashing the password X number of times before sending it to the server. When the hash is recived by the server, you do X number of new hash rounds. You should also figure out a how to manage your salt.

This should be sufficient for most applications. Also this is how most application does it these days.

gpEasy: http://gpeasy.com/ does this by hasing Sha-256, 50 times on client side. Then another 950 rounds on the server. In total 1000 rounds. This also includes a salt which is calculated by its "current hash"

def hash(self, pw, loops = 50):
    pw = pw.strip()

    for i in range(loops):
        salt_len = re.sub(r'[a-f]', '', pw)

        try:
            salt_start = int(salt_len[0:0+1])
        except ValueError:
            salt_start = 0

        try:
            salt_len = int(salt_len[2:2+1])
        except ValueError:
            salt_len = 0    

        salt = pw[salt_start:salt_start+salt_len]
        pw = hashlib.sha512(pw.encode('utf-8') + salt.encode('utf-8')).hexdigest()
    return pw

This is a version of the mentioned algorithm for calculating hash with a salt from the first numbers in the hash.