For online systems, the transmission of passwords goes through the following steps:

  1. The user enters the original password in the browser: keyboard -> operating system -> browser memory
  2. The program converts the original password: the original password in memory ->the converted password in memory
  3. The converted password is transmitted online: the converted password in memory -> network -> system

Each of these steps may reveal the original password, and of course there are corresponding protection measures.

  • Password input
  • Password conversion
  • Password online transmission
  • Common service analysis
  • summary
  • other

Password input

The journey of a thousand miles begins with a single step, and the first step for users to enter a password is often the most dangerous. Common attack methods include:

  • Peek at the entered password

    It is easy to peek at a password in public, such as when using an ATM to withdraw money. When entering a password, the password is clearly replaced with * to prevent voyeurism. However, such a normal user cannot directly confirm with the eyes whether the input password is correct. Usually, when setting a new password, it is necessary to input it twice to ensure that the input is correct. The iPhone has been improved at this point. Each time a password character is entered, the plaintext is displayed for half a second and then converted to *display. Since the probability of pressing the wrong key is still high when using the iPhone virtual keyboard input, this compromise is also available. And compromised on security. In addition, in order to prevent sneak peeks, some systems do not have any output on the screen when entering a password, such as the Unix/Linux command line login interface. This will not even enter the length of the password.

  • Record keyboard input with a Trojan

    The more popular QQ or online game hacking is often done this way. Install the anti-virus software to prevent the anti-theft number, you can also use the screen soft keyboard to enter the password, so the Trojan can not record the keyboard event, only by analyzing the mouse click and the screen image at the time to crack the password. If you go further, the character layout of the soft keyboard will be generated every time, which will make the analysis more difficult.

  • Infect the app or use the phishing method to get the password value in memory directly

    Regardless of how to prevent the input process, once the password is in the program, it will be presented in clear text in memory, as long as the malware mimics the security program (or mimics the appearance of the website) and it is easy to take the password directly. The fake ATM machine fraud that now appears is also a derivative of this approach. There is also a way to replace or mimic the program, but to read the value in memory with the virus infection original program. To prevent such an attack, the integrity and legality of the original program must be verified. Only after the verification is passed can the normal login interaction be performed. This verification can be done with a digital signature. For example, all Microsoft executables in Windows 7 come with Microsoft’s digital signature. On the website is the verification of HTTPS. Of course, this verification process also involves people’s judgment. In social engineering, software must cooperate with some mandatory measures to ensure that people will not be numb. For example, when a browser accesses a digitally signed HTTPS site issued by an untrusted authority, it warns and blocks access. Windows 7 All drivers must now have a Microsoft digital signature to run.

Password conversion

The original password will undergo some conversion before it can be transferred online. This is similar to the storage of passwords. Direct transmission of password plaintext is the least secure. The use of simple reversible transformations, or fixed-key encryption, only increases the difficulty of cracking. Preferably, each time the server randomly generates a key and sends it to the client for encryption.

If HTTPS is used, all information passing through the SSL channel is encrypted with a random key. Naturally, the password is also included. Although HTTPS is secure, its biggest problem is performance. Negotiation of the connection initial key is carried out through an asymmetric encryption system, which will result in a slow connection (data encryption after key negotiation is pure CPU consumption, under current hardware conditions, not a bottleneck) . Financial online systems generally use HTTPS, but most online applications choose to use HTTP to exchange random passwords for performance reasons.

The random key is generated by the server and sent to the client. The client encrypts the password with this key and sends it to the server. The encryption method is not required to be reversible here. A safer approach is for the client to use the MD5 or SHA-1 algorithm to irreversibly convert the password and then use key encryption to send to the server. There are already a lot of Javascript encryption libraries that can do this conversion work on the browser side.

Password online transmission

If you only use HTTP instead of HTTPS, then the password will not be compromised, and replay attacks may occur. When the middleman intercepts the converted password, he does not have to know the password and can use the converted password to pass the server’s authentication.

The latest research is to use the quantum correlation of particle pairs for quantum encryption transmission. It can be sealed like a lacquer of ancient secret letters. Once the letter is taken apart, the lacquer must be destroyed. The recipient will know. Quantum encryption is a resource-consuming technology that is prepared for military and other top-secret information transmission. The information used for quantum cryptographic transmissions will also only be the key. Once the two parties have confirmed each other’s keys, they can use the normal channel to transmit the encrypted ciphertext. It looks very much like a quantum cryptography transmission ultimate solution that recently came for quantum cryptography successful attack case .

Common service analysis

Here, use the packet capture method to analyze the password transmission of commonly used network services, and see how they do in terms of security.

website Password transmission method safety HTTPS encrypted transmission high
Microsoft HTTPS encrypted transmission high HTTPS encrypted transmission high
Happy network HTTP Javascript encrypted transmission in
Xiqiao HTTP Javascript encrypted transmission in HTTP Javascript encrypted transmission in HTTP plaintext transmission low
Tianya HTTP plaintext transmission low HTTP plaintext transmission low

For those websites that do not support HTTPS and do not use client-side encryption, but use HTTP plaintext to transmit passwords directly, it is recommended not to use common passwords to register to avoid security risks.


Transmission of passwords than storing passwords more sensitive and insecure, there are basically three levels of transport policy:

  1. It is very secure to use HTTPS encrypted transmission. HTTPS has high performance requirements on the server and also affects the login speed. Generally used for high security logins. Both Google and Microsoft logins force HTTPS to ensure security first
  2. It is relatively safe to use a random key to transform the password before transmitting it. The password is clear and secure, but replay attacks may still occur. This approach is a compromise between performance and security. General service use, such as the domestic happy network
  3. Without any modification, the password plaintext is directly transmitted over HTTP. This approach is very simple to implement, but it is irresponsible for user privacy and data. It is a pity that several famous websites in China use this simple method. The user’s response is not to use common passwords on these websites, such as your bank card password.


There are many ways for passwords to leak during transmission, and you probably don’t realize that passwords are being eavesdropped. For example, in a recent news, the scammer uses the software to perform audio analysis on the phone button tones, and then obtain the user’s password. Probably we did not think when using the telephone banking, the sound of the button is actually a carrier of our password transmission.

When I recently used the 400 telephone service of Shanghai Pudong Development Bank, I was surprised to find that when the system prompts for a password, in addition to hearing my own button tones, there are other button tones in the handset that sound randomly. Because of the interference of these background sounds, people are a bit confusing when they enter their passwords. (Sound is also a UI interface, but it has always been ignored. In fact, it is no less important to users than the graphical UI.)