Browse Prior Art Database

Injecting unencrypted password to HTTP Post Request during online log-in

IP.com Disclosure Number: IPCOM000250547D
Publication Date: 2017-Aug-02
Document File: 1 page(s) / 26K

Publishing Venue

The IP.com Prior Art Database

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 61% of the total text.

Injecting unencrypted password to HTTP Post Request during online log-in

Traditionally, when a user of a web service wants to gain access to said web service they are required to enter a username/email address and a password. Entering a password in a password field on a webform is not secure as the password is temporarily stored, unencrypted, on the form and could be accessed by a key-logger or other form of virus that captures webform entries. It is also possible for the user to leave the computer and for someone to copy/paste their entered data simply by inspecting the password field element of the web form and modifying it to a plain-text box.

Our invention negates the need for a user to enter a password into a webform whilst still providing the web service with the user’s password. Cutting out the act of a user entering a password is ultimately more secure and seriously reduce the danger of phishing attacks.

“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.” – The OAuth 2.0 Authorization Framework (https://tools.ietf.org/html/rfc6749)

Rather than submitting a username and a password when a user attempts to access a web service, they should only submit a username. The password should be retrieved locall...