AJAX passwords are sent in the clear

[aclark4life]

No description provided.

[kencochrane]

Yeah that was one of my issues as well. The best way to do this is to do all validation client side, and you set the config options for that js validation at page load. If you do it this way the AJAX approach isn't needed, but it doubles the code.

Another approach is a hybrid approach, where some of the validation is done client side, and the rest server side.. Once again not ideal.

[aclark4life]

Am I correct this is a reasonable approach if the site is SSL?

[kencochrane]

That is probably fine, but I would try to find a batter approach if possible, then fall back to that one as last resort. You will need to make sure to only do the check if they are logged in, and there should probably be some sort of throttling to make sure people can't brute force the check, to find out people's passwords.

If there was a way to encrypt the data on the client side, and then send it encrypted that would be the best approach, but that adds complexity to the problem.

What if you did the following.. On the client side have some smaller checks. Like finding the length of the password, counting the number of letters, uppercase, numbers, special chapters, etc. Then pass that along to the ajax check, and validate on that info. That would work if you want to keep everything server side, but a better approach would be to have those checks on the client side and just pass the config settings back and do everything client side.

That solve most issues except the recently used passwords. If you could do a one way hash on the password in the client side and compare it to hash's on the server side it will be possible and secure. One hard part would be to create a secure hash of the password on the client side without exposing your salt.

I'm probably making this more complicated then it needs to be, but I just trying to make sure it is secure, and doesn't have any security holes.