LOGBOOK

HELP

Quiz Entry - updated: 2026.06.25

How does a password-based login work at the protocol level, and what is sent over the wire?

Setup: Alice gives her password to the server, which stores only Hash(password ‖ salt). Login: Alice sends her username + password to the server, which re-computes the hash and compares.

Setup phase:

  1. Alice chooses a password.
  2. Server generates a random salt.
  3. Server stores (username, salt, Hash(password ‖ salt)) — never the plaintext.

Login phase:

  1. Alice → Server: "I'm Alice", password (over TLS!).
  2. Server: look up salt for Alice. Compute Hash(password ‖ salt). Compare with stored hash.
  3. Server → Alice: OK / NOK.

Security properties — and weaknesses:

  • The password is transmitted in cleartext over the wire (the only protection is TLS).
  • The server sees the plaintext password during login — even if briefly. A compromised server can log it.
  • A breach of the password DB still leaks salted hashes (offline attack surface).

This is why challenge-response protocols (next cards) exist — they avoid sending the password and avoid the server seeing it.

Tip: "Password over TLS" is fine for most web apps but means "any server-side bug that logs requests" can leak passwords. That's how production password leaks happen (cleartext password in an exception trace, in an access log, …).

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jun 25, 2026