Does django pass password form data in clear-text?

2
votes

I have been making websites in Django for 2 years now. A client gave me an ethical-hack report which mentioned that all passwords in my website are clear-text.

I confirmed this by checking the request headers in the 'Network' section in developer console of browsers. I can clearly see my username and password in clear text in the POST queries. This is for all the password fields. Even in django's admin interface login fields.

I am using django's built in UserCreationForm and AuthenticationForm with views from django.contrib.auth, since i thought this is the safest practice.

So should i be worried? Of course Django's developers surely know what they are doing. But is this really safe? Passing cleartext passwords in POST requests? Should i enable django admin in production environment or not?

1
djangodjango-formsdjango-viewsdjango-admindjango-authentication
If it is made through an TLS connection, then these are send encrypted to the client. - Willem Van Onsem
See for example: security.stackexchange.com/q/110415/53798 - Willem Van Onsem

1 Answers

0
votes

It is common practice to send the password in plain text. Not only in Django, but in a lot of authentication frameworks. As long as it uses a secure channel (and that channel is not compromised), that should be sufficient.

Normally you communicate nowadays with a server over a encrypted layer like HTTPS. This means that the browser and the server first negotiate encryption, and thus all requests you do are submitted over the encrypted "channel". So the POST request you make to authenticate is encrypted. The browser does not show this, since the request itself contains indeed the password in plain text, but the entire message is encrypted.

Adding extra encryption on top of that would not add much "value". Imagine that you encrypt the password, then that means that if the hacker somehow can intersept and decrypt the package, he/she can send the encrypted password to the server as well.

HTTPS normally aims to prevent a man-in-the-middle attack through certificates.. Sophisticated attacks exists to strip the the SSL layer from a connection, therefore technologies like HSTS [wiki] should be used to prevent protocol downgrades.