So say Eve wants to steal my email account, but I know that so I encrypt my password before sending it in a way that only I and the email provider knows how to decrypt. What prevents Eve from just copying all the bytes I send and send them as they are to login?
In: 18
I know OP didn’t mention hashing in particular but since the post is about “password encryption” and the only thing that makes passwords any different in this regard is hashing I’ll start there.
Password hashing should actually be done server side instead of client side because anything client side can be compromised since you don’t control the machine, and it’s very important that the password being stored is the hashed value so that if anyone looks in the database or whatever is storing password hashes they don’t know the password values that generated those hashes.
This means password hashing can not protect against man in the middle attacks because it doesn’t even happen until after it’s transmitted to the server. Until then the password is protected through the same encryption that protects the rest of the request content
However the request itself will have encryption so that things like the password and other request details can’t be seen. If an attacker tries to send the exact same request later it won’t be valid anymore because an important secondary input to the encryption (and decryption) algorithm will have changed.
Latest Answers