Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is username and password in HTTPS URL secure?

Tags:

security

https

I am sending POST request to URL https://username:[email protected] in my script. I know that HTTPS encrypts credentials so they should not be visible on network.

But what about server logs, will they be visible there?

Are there any other disadvantages of using this approach?

How can I make authentication more secure on client/server side?

like image 960
rainmaker Avatar asked Mar 27 '18 09:03

rainmaker


People also ask

Is URL secure in HTTPS?

A secure URL should begin with “https” rather than “http.” The “s” in “https” stands for secure, which indicates that the site is using a Secure Sockets Layer (SSL) Certificate. This lets you know that all your communication and data is encrypted as it passes from your browser to the website's server.

Is it safe to pass password in URL?

HTTPS encrypts message body, url path, query parameter and headers. So plain text password is safe during transit.

How do I bypass HTTPS username and password?

We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.

Is Basic HTTP Auth secure?

Note: The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server is secure. If the connection is insecure, the scheme does not provide sufficient security to prevent unauthorized users from discovering the authentication information for a server.


1 Answers

You can find more information here: Are HTTPS URLs encrypted? (tl;dr: the way you are sending it is not encrypted most probably, but you can send the credentials as URL parameters instead, to make it encrypted).

Next, if you have developed the server/are in control, it is up to you to decide whether to keep logs or not. If you are unsure, there might be logs. Keeping logs with (plaintext especially, but not just) passwords is not a good practise.

The server should not store passwords in plaintext. Instead, the password should be stored along with some random salt (more information here: https://security.stackexchange.com/questions/111893/how-to-use-password-salt-the-right-way), not in a plaintext form. One way functions such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash or Bcrypt can be used for example. These have the advantage over salted hashes (https://security.stackexchange.com/questions/51959/why-are-salted-hashes-more-secure-for-password-storage), that they also add some extra CPU time (~100ms), delaying an attacker who is attempting a brute-force attack, thus they should be preferred (thanks zaph for the update).

In general, if the server gets compromised, reading the logs is just one way for the attacker to get user information. Enhancing the authentication security is closely related to keeping attackers off your servers, once you are already using SSL and not sending credentials as part of the domain name (thus, in plaintext). Using salted hashes is a must (so that in case of a breach the user passwords remain secure), and from that point on it really depends on your budget. Perfect security is not possible, but the more countermeasures you put in place, the harder it might be for your server to get compromised. But this is a huge and very debatable topic, that cannot be summarised in a StackOverflow answer.

EDIT: Updated to fix current best practise for password storing, based on zaph's comment.

like image 108
Iakovos Gu Avatar answered Sep 19 '22 20:09

Iakovos Gu