Securely send a Plain Text password?

Question

I\'m working on an application for iOS which will have the user fill out their password. The password will then be posted to a PHP page on my site using either POST or GET.

Answer 1

Reconsider not using HTTPS. HTTPS a good defense against a number of attacks.

There usually isn't a reason to transmit a password. By transmitting passwords, you are sending valuable data and their is extra risk associated with it.

Usually you hash the password and submit the hash. On the server side, you compare the hashes, if they match, great.

Obviously with this approach, the hash is important, and you have to secure against a replay attack. You could have your server generate a crypto-secure one-time use salt, pass that to the client, salt and hash the password, and compare the hashes serverside.

You also need to guard against a reverse hash attack on password. IE, I have a hash, and I can compare it to a bunch of pre-generated hashes to find the original password.