"username and password are being sent in unhashed manner" issue in moodle 3.3 login page

"username and password are being sent in unhashed manner" issue in moodle 3.3 login page

by William Chan -
Number of replies: 1

Dear Sir/Madam,

Last time,  vulnerabiity scanning was processed in our moodle site.

we find one issue reported from the auditor,

SSL connection has already enabled on the login page in Moodle site.

We observed that the username and password are being sent in unhashed or unencrypted manner, though the connection is encrypted.

They suggest us username and password on client side should be hash or encrypted on the client side before sending request to the web server.

From their finding, its seems that both username and password should be encrypted/hashed before user click on "Log in" button in moodle login page from their client PC. moodle application from the server side un-unencrypt/unhash both username and password values to login moodle system.


Please adivse how to do it?

Does anymore have any sample one for our reference?



Average of ratings: -
In reply to William Chan

Re: "username and password are being sent in unhashed manner" issue in moodle 3.3 login page

by Iñaki Arenaza -
Picture of Core developers Picture of Documentation writers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers

If the HTTP connection is already encrypted using SSL/TLS, it doesn't make any sense to additionally encrypt the username or the password. In addition to that, if you wanted to encrypt them on the client side (the browser), you would need to provide the client sied with the encryption key. Which completely defeats the security of the encryption key.

And you can't hash the username. Hash functions are one-way. So the server would be unable to obtain the original username. So it wouldn't be able to authenticate the user (it wouldn't know which user to authenticate!).

While you could hash the passwod client-side, it would't give you any significant additional security, once you have SSL/TLS encryption.

So in my opinion, the auditors' suggestions don't make much sense.

Saludos.

Iñaki.

Average of ratings: -