Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Whether passing a base64 encoded username and passwords as variables through a secured SSL connection for a mobile website is safe?
Whether I should encode it with AES256?
For eachwebpage I fetch a url with base64 encoded username and password like this
https://mobile.site.com?id=ASDQWEQWEQWEQWEQWE (Where id contains username and password)
SSL is the way to go and will send that data encrypted, so it cannot be read by anyone along the stream. Encrypting it beforehand using AES would require you to pre-exchange keys with both your client and your server, which would be an added step that you would need to do out-of-channel; the asymmetric nature of the key exchange done in SSL makes this unnecessary.
And…do NOT hash the password on the client side and just send to the server to compare. This is a horrible practice. If your server’s username/password table were to be compromised, an attacker would know exactly what to send to your server to log in as any user (user A has hash X, so just send A/X as UN/PW and the server will let you in). You want to send the actual password to the server, so it can hash it there and then compare the result to the stored value (user A has hash X, but I cannot figure out what value hashes to X so I don’t know what to send as the PW).