Password managers generally send a hash but for almost all services I would say plain text password is standard, I would definitely go with something like firebase or auth0 vs rolling your own auth in most normal situations. The poster is explicit about not knowing anything about security though so all good.
This makes sense, I guess encrypting it on top of TLS doesn’t meaningfully improve security. My concern is that you’re trusting the server to immediately salt and hash upon receipt (especially before storing), but if the client at least obfuscated the password, then in the worst case of a leak you have an email and an obfuscated password that can be used to login to the pwned service but nothing else. My specific threat model depends on the average person not adopting password manager hygiene and 2fa across their services, which is fairly common amongst my friends personally.
pjjpo|5 days ago
badeeya|5 days ago