Hello, It is a big question, and does not concern only web2py. You can find people asking the same general question in StackOverflow. And the aswers are generic : The most important is the TLS communication. https://security.stackexchange.com/questions/110415/is-it-ok-to-send-plain-text-password-over-https (and see linked duplicate questions) Do you know any website that does hash the password client-side ? Arglanir
Le mardi 22 novembre 2022 à 01:20:06 UTC+1, silvia...@gmail.com a écrit : > Thank you, but do you have any suggestions what to do cause our > cybersecurity officer keeps complaining about that wo I need change some > settings in web2py or do you have an idea how I can sort it out ? > > Kind regards > > Am Di., 22. Nov. 2022 um 02:23 Uhr schrieb Christian Varas < > chriii...@gmail.com>: > >> Hi, >> It's OK, it's the way it works, If you put s local proxy like burp and >> then you go and capture traffic, it is ok that you can see clear text data >> because burp proxy puts their own certificate between client and backend, >> because of that burp proxy can decrypt and show you clear text data. If you >> sniff with a packet capture like wireshark, you will see everything is >> encrypted. >> >> Salting your password/username before sending it is not really secure, >> because hashing the username/password before sending, would need to be >> performed in the browser via javascript and if the hash process happens in >> the client side, you can see how encryption is made and reverse it . >> >> Cheers. >> Chris. >> >> El lun, 21 nov 2022 a las 5:01, Silvian “Top 10 Answers” Cedru (< >> silvia...@gmail.com>) escribió: >> >>> Its weird why does web2py do not salt username and password before >>> sending it ? >>> >>> Silvian Cedru schrieb am Montag, 21. November 2022 um 09:25:05 UTC+7: >>> >>>> Here is a screenshot after sniffing the network and it is weird since >>>> it has HTTPS I thought you could not sniff out the password when someone >>>> logs ins so I need to salt or Hash it but I am not sure where I find the >>>> file and what to change . Would be awesome if someone could help. >>>> >>>> Silvian Cedru schrieb am Donnerstag, 17. November 2022 um 11:05:34 >>>> UTC+7: >>>> >>>>> Hello everyone , >>>>> >>>>> I just found out that when you login in my application my password >>>>> gets send in plain text even I thought it gets hashed does someone know a >>>>> solution how to salt or hash the password before sending ? >>>>> >>>>> >>>>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to web2py+un...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/web2py/3b380bb2-b908-4e8e-be5a-bc465196c38fn%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/web2py/3b380bb2-b908-4e8e-be5a-bc465196c38fn%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/web2py/CA%2Bs%2BuJv2ddys7nQV5%3DCu7xbM%3DQ-vqu09%3DDL2ZMHoN2TNBYsO7A%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/web2py/CA%2Bs%2BuJv2ddys7nQV5%3DCu7xbM%3DQ-vqu09%3DDL2ZMHoN2TNBYsO7A%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/f5bbb64a-e5c0-4f06-bb5b-7dc529b97e45n%40googlegroups.com.