Can I send a JSON string with a password in a POST on HTTPS?

[szlamany]

Is it safe to send a POST to a web method with a JSON string containing a clear text version of a password for authentication?

Who could sniff that password on the way from client to web method?

I saw some posts a while ago on "salting" a password - is that something you do in JS on the client side and then "unsalt" on the server?

[MattP]

The best solution would be to use SSL.

If that's not a possibility you may be able to use: jQuery.SHA256.js.

[szlamany]

It is HTTPS - so that's SSL - that makes it ok to send as clear text in JSON?

[MattP]

Oops missed the HTTPS from the thread title.

As long as you're in an SSL tunnel you should be fine. If you want to go the extra mile the SHA256 plugin seems easy enough to implement.

[mendhak]

A man in the middle attack could sniff your password but that's where your cert comes in, make sure you buy a cert from a CA that is 'recognizable' and well known so that the user "trusts" it. Don't hash/salt your passwords before sending it as you are then giving away how you store the passwords in the database. Perform hash/salt on the server itself.

[szlamany]

Some of my customers use AD authentication - so I need to send "original text" of password to authentication service.

We just created an "invitation" technique to get some "contacts" to login with there emails and create an account with a password. I would normally store these passwords in clear text in SQL - but that seems like a bad idea.

What is the typical method of salting a password in VB.Net type code on the server? Just create a SECURESTRING and store that??

Or some simple one-way encryption?