Quiz Entry - updated: 2026.06.25
How does a password-based login work at the protocol level, and what is sent over the wire?
Setup: Alice gives her password to the server, which stores only Hash(password ‖ salt). Login: Alice sends her username + password to the server, which re-computes the hash and compares.
Setup phase:
- Alice chooses a password.
- Server generates a random salt.
- Server stores
(username, salt, Hash(password ‖ salt))— never the plaintext.
Login phase:
- Alice → Server:
"I'm Alice",password(over TLS!). - Server: look up
saltfor Alice. ComputeHash(password ‖ salt). Compare with stored hash. - Server → Alice: OK / NOK.
Security properties — and weaknesses:
- The password is transmitted in cleartext over the wire (the only protection is TLS).
- The server sees the plaintext password during login — even if briefly. A compromised server can log it.
- A breach of the password DB still leaks salted hashes (offline attack surface).
This is why challenge-response protocols (next cards) exist — they avoid sending the password and avoid the server seeing it.
Tip: "Password over TLS" is fine for most web apps but means "any server-side bug that logs requests" can leak passwords. That's how production password leaks happen (cleartext password in an exception trace, in an access log, …).