Is it okay for websites to send passwords as plain text if they hash them when they are stored?

Question

I was logging into a website and checking out the network requests, and in the network tab I saw the following:

method: "Login"
params: {username: "username", password: "password1234"}

With my username and password being sent in the request payload as plain text. While I don't know how its being stored in the DB, I log into this site potentially 5-6 times a day, and the fact that it sends my password as plain text was a bit troubling.

I read in this answer (even though its a bad answer with -6 score) that

it is more secure to send passwords encrypted over the network, and store them in plaintext on the database, than sending the passwords in plaintext over the network and store them encrypted on the database.

Emphasis mine.

Is there any truth to this at all? I have changed my password on the site to ensure its not a common password, but is there anything I should be worried about?

Answer 1

The site probably (hopefully) uses TLS via HTTPS to encrypt the traffic between your browser and the webserver. Even with encryption, the browser displays the network traffic in cleartext since it has (obviously) acces to the traffic before it is encrypted and after it is decrypted.

You can find out more about the use of encryption by looking at your URL bar and looking out for a green padlock (in most browsers).

Encrypting the credentials via HTTPS and storing the password hashed (plus points for salt & pepper) with modern hashing algorithms is seen as reasonable secure. Nevertheless, there are more and more evolving techniques for authentication. Hashing the password on the client side and saving this hash as it is is a bad idea (described in Client side password hashing).

EDIT: I've just seen the comments, weren't there when I was writing this, sorry for duplicating.