When passwords are encrypted they are typically hashed. This means they are converted in a way that’s easy to do in a repeatable fashion, but very difficult to undo. This used to be safe but computers are powerful enough to break hashes with ease nowadays.
Sending over a hashed password doesn’t help, since the hashed password essentially becomes the password itself, and can be stolen in the way you’ve described.
The solution is to “salt” the hashed password before transmitting it. The salt is just some random number or characters, but it is applied to the password before hashing in some way. Maybe added to the start/end of the password, or scattered throughout. This way when the password is hashed, the hashed password is no longer your password but a new completely random word.
Your PC can send the hashed password and salt together to the server, and as long as the server knows how to use the salt against the password it can verify your login, however a man in the middle won’t know how to apply the salt and it will be useless to them.
Latest Answers