View Full Version : Is my password viewable?
March 10th, 2003, 12:18 PM
Hi there everybody, this is my first post - hope I'm doing everything right..
There's a site I'm visiting often (an Admin site) that requires my ID and password. While I'm on this first page, before I type my details in, the "http" on the url does not include an "s". I type my ID and password and click on "enter". Only when I click on "enter" the "http" becomes "https".
The question is: Is my password viewable when I typed it before the "s" appeared? If not, why are there some other sites that show the "s" BEFORE I have typed my password in?
March 10th, 2003, 06:47 PM
Welcome to Wilders! Yes, you did this correctly. :)
Your password is probably safe. I say "probably" only because you didn't say which site, and if the developers of it made some kind of mistake implementing their session login, there could be problems. But, the method itself is not too bad...
I know of some webmail sites that do this. SSL sessions (https browsing) can be a little expensive in terms of excess overhead (i.e. the extra CPU processing on the server, in particular, needed to encrypt everything that goes up and down the network wire), so some sites only do it the absolute minimum amount required. AOL's web email interface to AOLmail is one of these.
By only using an SSL session right at the point when you send your username and password (when you press enter) and get authorized back, the website saves these extra resources. It is technically secure, as far as the "password transmission" goes. It is sent fully encrypted during that brief 'back and forth' SSL session. After that, generally the session ID, (or some other key), is used to allow the site to know it's still you.
Of course, if after the password has been authorized, the remaining pages go back to regular http, then the contents of the rest of whatever you are doing at that site is not going to be encrypted either.
While total encryption would be desirable from start to end, I don't see this as terrible for some less confidential things done on the web. It keeps the password secure, but not the rest of the session. Obviously, this would be totally unacceptable for things you want kept highly secret, like CC# or banking transactions, and the transmission of other personally identifiable data (name, address, etc.), that you might want to use online.
April 20th, 2003, 01:21 PM
Hi Marca & LowWaterMark!
There's always the possibility to use a packet sniffer to be sure if the traffic is encrypted or not. But I don't want to push you into something which is quite complex! :-X
For those who are interested, try this one here:
April 20th, 2003, 02:35 PM
Well over 90% of my internet use is https......ideally the login page should be https..however, our good friend LowWaterMark explained it exceptionally well an should have calmed any questionables.
only a couple of comments.......you can place the https site in internet explorer's trusted zone which "requires server verification(https) for all sites in this zone......please note however, the http site does not go there.....place the actual https site there.....it will be differant from the login page,,
other mentions that may be of interest.....after finishing your session..clean= cache/history/contents......otherwise it may be possible for another user to gain access to the https account.....normally the https session would have expired and access denied to another user...so other than cleaning your tracks this may never be a real problem so consider as just an extra step...if you ever noitice that the session did not expire...contact the webmasters of the site immediately an advise them
ill health/time restrictions wont permit further comments by me.......is https in and of itself secure..some say it is not....its certainly not within my personal knowledge to discuss that point
April 25th, 2003, 07:02 PM
Nice posts LWM and Snowy!
I have noticed more online providers (webmail, calendars, etc.) that require log-ins offering you the option of a secure log-in. Click on "secure log-in" and it will give you a htpps page. I agree with LWM that the content provider is obviously trying to save resources (read $$$), but at least more are giving you (the INFORMED user) the option.
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums