Plain text password over HTTPS

Question

I\'m currently working on a PHP OpenID provider that will work over HTTPS (hence SSL encrypted).
Is it wrong for me to transmit the password as plain text? HTTP

Answer 1

Hash client side. Why? Let me tell you about a little experiment. Walk up to computer in company cafeteria. Open browser to company web site login page (https). Press F12, click network tab, check off persist log, minimize console but leave web page open to login page. Sit down and eat lunch. Watch as employee after employee logs on to the company web site and being a good little worker logs out when done. Finish lunch, sit down at computer bring up network tab and see every single username and password in plain text in the form bodys.

No special tools, no special knowledge, no fancy hacking hardware, no keyloggers just good old F12.

But hey, keep thinking all you need is SSL. The bad guys will love you for it.