I have a php web app that allows a user to login using their user name and password. When the user enters their password the password field displays asterisks instead of clear text characters. When the user clicks the login button the password is transmitted in clear text even though the website uses an SSL certificate. The password entered is encrypted and stored in a mysql db table named login.
Is there a way to encrypt and transmit the password when a user logs into the website. Is there a plugin that I can use to encrypt the password client-side. The concern is what happens when if SSL fails
I have been reviewing a couple of articles over the internet: http://stackoverflow.com/questions/3087095/encrypted-user-credentials-when-they-are-transmitted
and a section in one article:
However, one way to do this in a semi-secure way (it is easily crackable, but atleast you won´t send the password as-is over http):
client-side altered password:
2345 (every char incresed with 1)
2345 is being passed as clear-text over insecure http-connection.
php-script reads the variable and decreases every char with 1; password is again:
php verifies if the decoded password match the password in the mysql-db. This can be done in several ways, the easiest being to have a field "password" in the user-table which contains the users password in clear-text. However, security won't be high unless you make sure that only localhost can connect to the db and check your grants.
Maybe freebsd should look at the differences between clear-text and as-is.
****************Article Reference End***************
Please share any articles you may know of - I am open to suggestions!