developer.mozilla.org
Open in
urlscan Pro
2600:9000:225e:a800:2:eb5:8c00:93a1
Public Scan
URL:
https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords
Submission: On October 01 via api from US — Scanned from DE
Submission: On October 01 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
/en-US/search
<form action="/en-US/search" role="search" aria-haspopup="listbox" aria-owns="top-nav-search-menu" aria-expanded="false" class="search-form search-widget" id="top-nav-search-form"><label id="top-nav-search-label" for="top-nav-search-input"
class="visually-hidden">Search MDN</label><input id="top-nav-search-input" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-labelledby="top-nav-search-label" autocomplete="off" type="search" class="search-input-field" name="q"
placeholder=" " required="" value=""><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search
input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button>
<div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div>
</form>Text Content
* Skip to main content
* Skip to search
* Skip to select language
MDN Plus now available in your country! Support MDN and make it your own. Learn
more ✨
MDN Web DocsOpen main menu
* ReferencesReferences
* Overview / Web Technology
Web technology reference for developers
* HTML
Structure of content on the web
* CSS
Code used to describe document style
* JavaScript
General-purpose scripting language
* HTTP
Protocol for transmitting web resources
* Web APIs
Interfaces for building web applications
* Web Extensions
Developing extensions for web browsers
* Web Technology
Web technology reference for developers
* GuidesGuides
* Overview / MDN Learning Area
Learn web development
* MDN Learning Area
Learn web development
* HTML
Learn to structure web content with HTML
* CSS
Learn to style content using CSS
* JavaScript
Learn to run scripts in the browser
* Accessibility
Learn to make the web accessible to all
* MDN PlusMDN Plus
* Overview
A customized MDN experience
* Documentation
Learn how to use MDN Plus
* FAQ
Frequently asked questions about MDN Plus
Search MDNClear search inputSearch
Theme
* Already a subscriber?
* Get MDN Plus
1. References
2. Web security
3. Insecure passwords
Article Actions
* English (US)
IN THIS ARTICLE
* Note on password reuse
* See also
RELATED TOPICS
1. Certificate Transparency
2. Features gated by user activation
3. Firefox Security Guidelines
4. Insecure passwords
5. Mixed content
1. Mixed content
2. How to fix a website with blocked mixed content
6. Referer header: privacy and security concerns
7. Same-origin policy
8. Secure contexts
1. Secure contexts
2. Features restricted to secure contexts
9. Securing your site
1. Securing your site
2. How to turn off form autocompletion
10. Subdomain takeovers
11. Subresource Integrity
12. Transport Layer Security
13. Types of attacks
14. Weak signature algorithms
IN THIS ARTICLE
* Note on password reuse
* See also
INSECURE PASSWORDS
Serving login forms over HTTP is especially dangerous because of the wide
variety of attacks that can be used against them to extract a user's password.
Network eavesdroppers could steal a user's password by sniffing the network, or
by modifying the served page in transit.
The HTTPS protocol is designed to protect user data from eavesdropping
(confidentiality) and from modification (integrity) on the network. Websites
that handle user data should use HTTPS to protect their users from attackers. If
a website uses HTTP instead of HTTPS, it is trivial to steal user information
(such as their login credentials). This was famously demonstrated by Firesheep.
To fix this issue, install and configure an SSL/TLS certificate onto your
server. There are various vendors offering free and paid certificates. If you
are using a cloud platform, it may have its own ways of enabling HTTPS.
NOTE ON PASSWORD REUSE
Sometimes websites require username and passwords but don't actually store data
that is very sensitive. For example, a news site may save which news articles a
user wants to go back to and read, but not save any other data about a user. Web
developers of the news site may be less motivated to secure their site and their
user credentials.
Unfortunately, password reuse is a big problem. Users use the same password
across multiple sites (news websites, social networks, email providers, banks).
Hence, even if access to the username and password to your site doesn't seem
like a huge risk to you, it is a great risk to users who have used the same
username and password to log in to their bank accounts. Attackers are getting
smarter; they steal username/password pairs from one site and then try reusing
them on more lucrative sites.
SEE ALSO
* No More Passwords over HTTP, Please! — detailed blog post with more
information, and FAQ.
FOUND A PROBLEM WITH THIS PAGE?
* Edit on GitHub
* Source on GitHub
* Report a problem with this content on GitHub
* Want to fix the problem yourself? See our Contribution guide.
Last modified: Sep 9, 2022, by MDN contributors
MDN logo
Your blueprint for a better internet.
* MDN on Twitter
* MDN on GitHub
MDN
* About
* Hacks Blog
* Careers
SUPPORT
* Product help
* Report a page issue
* Report a site issue
OUR COMMUNITIES
* MDN Community
* MDN Forum
* MDN Chat
DEVELOPERS
* Web Technologies
* Learn Web Development
* MDN Plus
Mozilla logo
* Website Privacy Notice
* Cookies
* Legal
* Community Participation Guidelines
Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2022 by individual mozilla.org contributors.
Content available under a Creative Commons license.