In our JSP form , we are accepting user name and passwords & we submit the form using POST method to a servlet. How safe is this? Is their any way someone can use a sniffer and get this password? What is the right way to accept usernames & passwords?
- Save the password to a local variable
- Erase the password or replace it with some number of "x"'s
- Concatenate together the username, the specified password, and the session id
- Fill in the hidden form variable with the MD5 hash of the string I created in the previous step
- Post the form