Is it ok/common practice to login via REST service by sending clear text password?

1k views Asked by At

Is it ok/common practice to login via REST service by sending clear text password? As long as it's done over https? e.g. https://www.example.com/api/login/<username>/<pwd>

Or is it common practice to use encryption of the password locally and decryption on the server?

2

There are 2 answers

0
Opal On

First of all username along with password should never be included in URL. There's authorization (with lots of variants - base64, token, whatever) header for such purposes.

Secondly password should be always sent via HTTPS. Or more general, authorization should always be done via HTTPS.

When it comes to encoding password I've worked with system that were sending plain and encrypted passwords. If it's possible to send encrypted, it's much better.

2
Nicholas Shanks On

Use HTTP Digest Authentication or OAuth 2 over HTTPS.