Welcome to the Onshape forum! Ask questions and join in the discussions about everything Onshape.
First time visiting? Here are some places to start:- Looking for a certain topic? Check out the categories filter or use Search (upper right).
- Need support? Ask a question to our Community Support category.
- Please submit support tickets for bugs but you can request improvements in the Product Feedback category.
- Be respectful, on topic and if you see a problem, Flag it.
If you would like to contact our Community Manager personally, feel free to send a private message or an email.
Passwords are not encrypted
jf_gelinas
Member Posts: 2 ✭
I have noticed after you click the login button, the XHR request holds my passwords un-encrypted. and sends it plainly over the internet.
I believe this to be a fundamental issue.
By this i can also assume that passwords are not encrypted on the server side.
It is quite simple to implement SHA-512 encryption or most other effective encryption algorithms into any WebApp. I believe this should be fundamental for any website that requires a user to login..
I believe this to be a fundamental issue.
By this i can also assume that passwords are not encrypted on the server side.
It is quite simple to implement SHA-512 encryption or most other effective encryption algorithms into any WebApp. I believe this should be fundamental for any website that requires a user to login..
Tagged:
0
Comments
During login, your passwords are sent over SSL/TLS to our servers; this protects the login data from both active and passive network attacks.
Rest assured that our user directories *never* store passwords in the clear, ever.
If you're interested in the details: we store salted, hashed passwords according to a proven and well-regarded standard in password management, PBKDF2. The wikipedia link, which I've found to be a good introduction, is http://en.wikipedia.org/wiki/PBKDF2. We don't encrypt passwords, since this implies that somewhere there is a key that could decrypt them, if the key was compromised. All password storage is secured via hashing, which is a one-way function.
To answer your question why the client doesn't hash passwords before sending them - the answer is that it really doesn't matter. If an evesdropper is able to grab the password hash on the wire(and again, we prevent this by using SSL/TLS), then that hash value would in fact act as the password equivalent, and would be sufficient for the server to authenticate the account.
Thanks for asking this question. Onshape is committed to securing our users' data, including login and account information, at every level. We take this responsibility very, very seriously.
Regards,
John de Freitas
It is reassuring to know that passwords are kept safe