0

I have recently been working on an internal website at my current company. I am using Ajax and PHP to check that the username and password entered in the login fields match what is stored in the database.

The Ajax script is storing the username and password as a variable then passing it to PHP which hashes the password as SHA512, before searching the users table in the database. However the password being sent from Ajax to PHP is therefore plaintext.

As this is an internal site only accessible by those on the domain, and isn't storing any sensitive information I am not worried about using an SSL certificate for additional security.

I have been wondering though what methods are used to intercept passwords, where would someone look? Would they need access to the server logs, could they find the password simply through their browser?

Edward Hall
  • 101
  • 1
    Don't use SHA512. Not the worst thing you can use, but you should use `bcrypt` instead. – wizzwizz4 Jan 07 '19 at 11:07
  • 1
    checkt this https://en.wikipedia.org/wiki/Man-in-the-middle_attack (person on your LAN will be able to intercept plain text pwd/username – Soufiane Tahiri Jan 07 '19 at 11:08
  • 2
    Plainly using SHA-512 is a bad idea. See [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) how to do proper password hashing. – Steffen Ullrich Jan 07 '19 at 11:12

0 Answers0