I am sending POST request to URL https://username:[email protected] in my script. I know that HTTPS encrypts credentials so they should not be visible on network.
But what about server logs, will they be visible there?
Are there any other disadvantages of using this approach?
How can I make authentication more secure on client/server side?
A secure URL should begin with “https” rather than “http.” The “s” in “https” stands for secure, which indicates that the site is using a Secure Sockets Layer (SSL) Certificate. This lets you know that all your communication and data is encrypted as it passes from your browser to the website's server.
HTTPS encrypts message body, url path, query parameter and headers. So plain text password is safe during transit.
We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.
Note: The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server is secure. If the connection is insecure, the scheme does not provide sufficient security to prevent unauthorized users from discovering the authentication information for a server.
You can find more information here: Are HTTPS URLs encrypted? (tl;dr: the way you are sending it is not encrypted most probably, but you can send the credentials as URL parameters instead, to make it encrypted).
Next, if you have developed the server/are in control, it is up to you to decide whether to keep logs or not. If you are unsure, there might be logs. Keeping logs with (plaintext especially, but not just) passwords is not a good practise.
The server should not store passwords in plaintext. Instead, the password should be stored along with some random salt (more information here: https://security.stackexchange.com/questions/111893/how-to-use-password-salt-the-right-way), not in a plaintext form. One way functions such as PBKDF2
, Rfc2898DeriveBytes
, Argon2
, password_hash
or Bcrypt
can be used for example. These have the advantage over salted hashes (https://security.stackexchange.com/questions/51959/why-are-salted-hashes-more-secure-for-password-storage), that they also add some extra CPU time (~100ms), delaying an attacker who is attempting a brute-force attack, thus they should be preferred (thanks zaph for the update).
In general, if the server gets compromised, reading the logs is just one way for the attacker to get user information. Enhancing the authentication security is closely related to keeping attackers off your servers, once you are already using SSL and not sending credentials as part of the domain name (thus, in plaintext). Using salted hashes is a must (so that in case of a breach the user passwords remain secure), and from that point on it really depends on your budget. Perfect security is not possible, but the more countermeasures you put in place, the harder it might be for your server to get compromised. But this is a huge and very debatable topic, that cannot be summarised in a StackOverflow answer.
EDIT: Updated to fix current best practise for password storing, based on zaph's comment.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With