Tech Off Post

Single Post Permalink

View Thread: Pass hashed info through query string
  • User profile image

    It doesn't matter if you are using HTTP GET or POST. If you are passing the hash on an un-encrypted channel, then the hash can be viewed and stolen.

    All that is being hidden is the plain text password. Which means that an attacker doesn't know your password, without cracking it. But if the hash is used for authentication or re-authentication then the attacker can simply pass the stolen hash around to get access.

    That is why I mentioned using SSL.