There are secure way you can pass password through URL. First of all you can pass password in a URI or you can also pass it in JSON format with POST request. Though will always be in plain text. To secure them you can connect through an SSL connection or if you have server administration privilege you can have a dual stack setup. Where you receiving and sending server connect through a IpSec encode pipe and you still use SSL on top of that.
If you just want to verify the user data and don't need to store the password in the database, you can encrypt it in HMAC-SHA standard or equivalent. This string is then compare in your database. If you send get request and username store in the URI and password also encode in the string request you still have a security threat. If someone want to sniff out the password he doesn't need to decode the password he can just grab the entire URI string and replicate the field and your server will still authorise him. Remember that the URI string most likely be store in the browser history folder after it is execute. Also another copy of that would be store on your server log.
If you must send the username and password in a plain string URI string and you really need the data you can do it this way. Encrypt every param name in HMAC crypt or similar. Have two random param name that store junk data and constantly change. Encode everything else. Split the value of the param string into 3 piece and join them with defined data and then encode it into a Base64 string. For example I was to send this in a param string:
example.com?_username=kevinhng86&password=1345678
I would turn it into this:
example.com?_<crypt_value_of_username>=<base64_va lue_of_XXXg86XnhnXXivek&&<crypt_value_of_randomnam e>=<base64_value_of_randomdata>&<crypt_value_of_p a ssword>=<base64_value_of_XXXX78XX56XXXXX431>&<cryp t_value_of_randomname>=<base64_value_of_randomdata >
How do I decode this after, For crypt value I can't decrypt the value but I can store the pair of it in a data base. When I encrypt the word "username", I can store the word username and the HMAC value of it in a database to compare it later. For random data I can also do this, store the algorithm of how to remove them and put back the original text.
Other way to sending your data securely is through request header, through JSON post data. Remember though there is no undecryptable technique. If someone really try to get a data, It can take them year to try to decrypt any crypt string by bruteforce it. Most likely that will not happen to us because we don't store really valuable information. However it is a good practice to keep everything secure.
There is no difference between a custom make software and one that produce by a professional. Both can have bug, both can have security vulnerability. The only thing important is if you put due care and due thought into making your software secure. A custom make software that have no loop hole is 10x better than a professional software that carry a ton of bug and security vulnerability.
