Passwords are not encrypted

jf_gelinas

I have noticed after you click the login button, the XHR request holds my passwords un-encrypted. and sends it plainly over the internet.
I believe this to be a fundamental issue.
By this i can also assume that passwords are not encrypted on the server side.

It is quite simple to implement SHA-512 encryption or most other effective encryption algorithms into any WebApp. I believe this should be fundamental for any website that requires a user to login..

john_de_freitas

@jf_gelinas ,

During login, your passwords are sent over SSL/TLS to our servers; this protects the login data from both active and passive network attacks.
Rest assured that our user directories *never* store passwords in the clear, ever. 

If you're interested in the details: we store salted, hashed passwords according to a proven and well-regarded standard in password management, PBKDF2. The wikipedia link, which I've found to be a good introduction, is http://en.wikipedia.org/wiki/PBKDF2.  We don't encrypt passwords, since this implies that somewhere there is a key that could decrypt them, if the key was compromised. All password storage is secured via hashing, which is a one-way function.

To answer your question why the client doesn't hash passwords before sending them - the answer is that it really doesn't matter. If an evesdropper is able to grab the password hash on the wire(and again, we prevent this by using SSL/TLS), then that hash value would in fact act as the password equivalent, and would be sufficient for the server to authenticate the account.

Thanks for asking this question. Onshape is committed to securing our users' data, including login and account information, at every level. We take this responsibility very, very seriously.

Regards,
John de Freitas

jf_gelinas

You are correct a quick session of wireshark has proven i was not able to see my own password despite seeing it in the chrome network debugger.

It is reassuring to know that passwords are kept safe