Snooping out an in memory password

Hello Experts,

Suppose I have a web page where I enter in my username and password. How is my password vulnerable to a hacker if I do not encrypt the password? If the hacker were to gain access to my actual PC then he could examine the source code of the web page and then see what my password is. Or through shoulder surfing, That is the only scenario I can think of where my password could be visibly seen.

If not, what other methods could a hacker use to find out my password if the hacker does not have actual access to my actual machine? Also suppose that my database is super secure and that the hacker could never hack my database? Furthermore suppose my website can be viewed on the internet or can also be set up as an intranet application.
LVL 2
brgdotnetcontractorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Network snooping, packet capture. On your side, the server side........
Keylogger compromising your system, virus infected, etc.. You are hijacked such that you are going to your destination via a hackers server/s.
you use the same password for other things, and your password recovery is guessable.......
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
We covered a lot of this on your previous question.  The connection to a login page where your username and password is sent should be 'protected' by an HTTPS connection so that it is very difficult to intercept and decode your information.  However, if you encrypt your info on your computer, the destination page is not going to know what to do with it because they won't be expecting your encryption.

If you have a virus or a keylogger on your computer, they might be able to get your info when you type it in.  It is up to you to keep your computer free of such things.  Once you press 'Submit', it is up to the server to keep your info secured.
0
brgdotnetcontractorAuthor Commented:
Dave the question is different. My question did not involve SSL. Even with SSL you can still view the password in the web browser, if you view the source.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

arnoldCommented:
If you can view your password in the source of the page, that means that the web designer/developer is including the credentials passed to it within the page which is a no-no.
A web page should never include the credentials in any form, other then by reference using a cookie, etc.

Unique ID where on the server the ID is referencing the user authenitcated, from where and duration for which this session is valid. With each page access, the session expiration time is adjusted.
0
Dave BaldwinFixer of ProblemsCommented:
But the answer and the limits are going to be the same when you are talking about filling in a form on someone's web page.  If your computer is free of malware and viruses, no one else can see what's on your computer.
0
btanExec ConsultantCommented:
Just some thought (further) - if the attack exploit vulnerability in virtual environment esp on hypervisor (oversees all the guest virtual instance for like web servers), the memory can also be snooped though it is a bigger challenge to search for those sensitive information "leak" in the guest memory allocated...it is still surmountable but most of such attempt need physical access to system. So do restrict remote access and check on the surveillance for the physical access to those server - for cloud based environment, we can only depends on the provider. Likewise, there are hypervisor based security solution to ensure segregation of virtual instance to make sure information do not cross infect - but that is another separate discussion...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.