Encrypt password between client and server

[NaitLee]

Currently when we change our password, the password sent to client is not encrypted.
When we login, the password is dealt with sha256. But if hacker hijacked the result, he can still do things with correct ajax method.

So beside https, how to get the best effect of encryption between client and server?
I think, The message sent between client and server should be hard to deal.
And we should find a way, to send password/encryption-related message without/cannot fully seen by hacker.

Scripting command: Data manipulation maybe useful as there are some mathematical things.
Additionally, {.get account||password.} can get original password, {.sha256|A.} can make it undiscoverable, {.time|yyyymmddhhMMss.} can get a timestamp...

Anyone can share a bit suggestions?

[Mars]

Currently when we change our password, the password sent to client is not encrypted.
When we login, the password is dealt with sha256. But if hacker hijacked the result, he can still do things with correct ajax method.

So beside https, how to get the best effect of encryption between client and server?
I think, The message sent between client and server should be hard to deal.
And we should find a way, to send password/encryption-related message without/cannot fully seen by hacker.

Scripting command: Data manipulation maybe useful as there are some mathematical things.
Additionally, {.get account||password.} can get original password, {.sha256|A.} can make it undiscoverable, {.time|yyyymmddhhMMss.} can get a timestamp...

Anyone can share a bit suggestions?

look at this post
http://rejetto.com/forum/index.php?topic=13326.msg1066139#msg1066139

[Richard_F]

Hello, NaitLee!

yeah, i had this problem for some time too. Unfortunatly i am not sure how fix it. (last time i got help ) But maybe this post https://www.technikhiwi.de/wordpress-hosting-test/#Sicherheit can help you. It is in german, so use a site-translation. There is some information about encrypt hosting and SSL-certification.

[LeoNeeson]

Good idea. Some time ago, I've proposed something different: adding Two-Factor Authentication (2FA) to HFS. Although it's not 100% bullet-proof secure, 2FA could add another layer of security to HFS (for extra peace of mind, since in case a password is stolen, you would still need a correct 2FA code).

[NaitLee]

Some time ago, I've proposed something different: adding Two-Factor Authentication (2FA) to HFS

Seems the account notes key can be used to store the second password, and even more So this is also possible

[Mars]

In the long term, the password that can be displayed in clear in the options should disappear to make room for an encryption in the form md5 or sha256 or compatible with the password file under linux, the various forms of authentication between clients and server would be adapted and thus avoid to be able to hack clear identifiers in the ini file,

the current problem is to find a standardized format for sending encrypted data in binary or text form in the forms and to recover it correctly whether in ansi or in widestring, the conversion and interpretation of the data received byte by byte complicates a little the thing, I had made an attempt by codifying the whole in the form of hexadecimal data, but not being at the top on the javascript, the encoding then the decoding gave constantly discordant results so I left aside in waiting for rejetto to have enough time to go back to hfs