Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sending your password as you type it as a GET request query parameter seems awfully hazardous. As you point out the password will appear in all manner of places, such as HTTP server logs. As the username/email is not included an ops person might not directly know from the GET request alone what user the password belongs to. It is not difficult to imagine however that they have enough info to correlate the IP address of the password strength request with a user.


Maybe they plan to cache the responses! I mean, from a POST to a GET, there is clearly a trend.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: