ASUSwrt Password Sent in Cleartext

[RMerlin]

Browsers need to drop those stupid security warnings anyway. The whole CA thing needs to be evolved. When normal users become accustomed to seeing those warnings and dismissing them, that is bad.

Some of the recent "warnings" displayed by browsers are starting to make me wonder if they aren't just trying to earn more sales from CAs... I agree that some of those warnings are becoming a bit over the top, and will scare away anyone who isn't an actual expert in how SSL certificate work. For instance, being told that you should NOT proceed with a web access when the target has a self-signed certificate, rather than simply explain to the user what it actually means, and let him decide if it's safe or not. Internet Explorer is pretty bad there, as in some cases it won't even give you the option to proceed anyway.

The CA system was starting to turn into a racket IMHO, until some of them started offering inexpensive alternatives to the 200$+ certificates sold by Entrust and their "friends".

 

[NGRhodes]

Best practices I have seen tend to state storing of passwords as hashes, but to secure the connection as best as possible for authentication.

To generate a client side hash in browser (without any plugins/addons) means sending the hashing code inc key and salt to the browser where the hash is generated - it makes the process equally as susceptible to MiM attacks as sending plain text. If the connection is compromised, you can inject JS to keylog and grab the password as its typed before hashing, or alter the hashing code to become a no-op, causing the password to be sent as its never gets hashed.
You are better looking at passwordless or multifactor IMHO than clientside hashing.

Also you can't assume just because a password is sent plaintext that is it not stored hashed n salted, but it probably is in this case, but I know in DDWRT its hashed and stored serverside (the router).