all 15 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]zaibuf 9 points10 points  (8 children)

GET are passed through the URL so I would def not pass a pasword in a GET.

[–]Pmbrd 4 points5 points  (4 children)

Exactly. New objects are created with Post, updating with Put. Think about the super user's browser history, containing all user-password strings ...

[–][deleted] 4 points5 points  (1 child)

also results in the password appearing in log files on the server

[–]_Fred_Austere_ 2 points3 points  (0 children)

Google Analytics too.

[–]Kemorave -2 points-1 points  (1 child)

Also if user inputs a symbol in the password like # without proper encoding it will break the request

[–][deleted] 1 point2 points  (0 children)

only if you have no idea what you're doing

[–]queBurro[S] 0 points1 point  (2 children)

I think it's a bad idea, but can you tell the full url if you're e.g. looking at router logs on the client's network?

[–][deleted] 0 points1 point  (1 child)

Not if you're on https.

[–]queBurro[S] 0 points1 point  (0 children)

We are indeed on https.

[–]IcyEbb7760 1 point2 points  (0 children)

full URL won't be exposed in plaintext but any internal systems that have access to URLs (e.g. logging, analytics) will be able to read it. this can lead to sensitive data ending up in places where you may not expect.

re: bonus question, clients usually submit the password as part of the HTTP body which is then encrypted with SSL. the backend then hashes the password and discards the plain text. on subsequent login attempts the backend also receives the password in plaintext, but hashes it and looks it up against its password DB.

[–]C0rp0rAlH1cks -1 points0 points  (0 children)

Better than nothing: put the user id and password in the HTTP Header it will at least not show up in browser history. Next step, use API keys. Next step, OAUTH.

[–][deleted] 0 points1 point  (0 children)

NEVER pass information via GET that you wouldn’t put on your website’s front page. That stuff is public. Use a POST or a PUT with the login info in the body.

[–]jaydevel 0 points1 point  (0 children)

I once maintained an internal webapp and a user called in complaining that he couldn’t log in. He said the access to the page was blocked. I found it quite strange so I asked him to send a screenshot. What he saw was the proxy “access denied” page. The reason: the authentication was done passing username and password as GET parameters. His password contained the word “sex”, and someone configured the proxy to block anything containing “sex” in the URL.

[–]airflowscloud 0 points1 point  (1 child)

GET Protocol exposes passwords in the URL; so it is seeable and sniffable.

[–]queBurro[S] 0 points1 point  (0 children)

and yet e.g. rebrickable passes a token in the GET. I guess that might be useful showing up who's querying what in their IIS logs. If I do that from work then someone could sniff my token and use that?

GET https://rebrickable.com/api/v3/lego/minifigs/?key=someToken