Why do web browsers provide websites with plain text passwords?

Suppose I sign up for website.com with username “John” and password “Secret”.

Currently the webbrowser supplies website.com with my real plain text password, and we must trust them to salt and hash it properly so that if they are hacked, damage to users is minimized.

Why don’t web browsers hash and salt your password for you? What would the downsides be if instead, it communicated:

username: John password: Sha256("website.com|john|Secret") =>  "655cd29ded358433da16867b682c21621664d26b9ca493ab224488dffce17050" 

Maybe it’s not the best scheme in the world, but is it worse than nothing at all?

With this scheme websites would have to keep track of which domain you signed up under, and you would probably want to modify the username to be all lowercase in the hash function so that the web browser communicates the same password no matter how you case your username.

The reason I suggest including domain or some other company id in the hash is so that rainbow tables can’t be used for more than one site at a time.

Comprehensive list of mechanisms that automatically send authentication information in browsers

I’m trying to come up with a list of built-in mechanisms that either automatically send authentication information or automatically prompt the user to provide them in browsers.

So far I have

  1. Cookies – sends cookies based on domain / expiration etc

  2. 401 WWW-Authenticate: Negotiate (SPNEGO/GSS-API) – for whitelisted domains (needs browsers configuration) usually for Kerberos / NTLM

  3. Client certificate

  4. FIDO U2F (in supported browsers) – requires users to perform an action when prompted for a challenge

  5. WebAuthn (still in development, similar to the above)

  6. And obviously also Basic authentication (401 WWW-Authenticate: Basic)

Are there any other mechanisms to add to the above? (I’m excluding SAML/OIDC/OAuth as they don’t have any native support or special treatment as far as I know)

Is there any standard for modern browsers showing/hiding the URL protocol within a browser’s URL area/omnibox?

This post is sparked by this recent post on SuperUser as well as this other SuperUser post from 2018 on the same topic.

Basically, some modern web browsers purposefully obfuscate (aka: hide) the URL scheme by default nowadays. While I understand the desire to simplify the web for non-tech user’s, I—as a software developer and systems administrator—find it to be a bit confusing.

Not only is it odd to see one browser display URLs in a different way from other browsers, in all cases, when I copy and paste the URL from a browser to a text file or the Terminal (in macOS) I see the full URL including the URL scheme/protocol.

So is obfuscating the URL scheme/protocol somehow as standardized UX practice for modern browsers? Meaning if I decide to create “Jakescape Navigator 2020” would I have to follow some established formatting for the omnibox/URL area?

Screenshots below of what I am seeing on macOS Mojave (10.14.5).


Chrome 75.0.3770.100 (Official Build) (64-bit)

Chrome 75.0.3770.100 (Official Build) (64-bit)


Safari 12.1.1 (14607.2.6.1.1)

Safari 12.1.1 (14607.2.6.1.1)


Opera 62.0.3331.18

Opera 62.0.3331.18


Firefox 67.0.4 (64-bit)

Firefox 67.0.4 (64-bit)

Various troubles playing Web videos across different browsers

YouTube/Facebook videos fast-forwarding in Safari, not playing at all in Chrome, out of sync with sound in Firefox

For the past few weeks or so I found that on both my Macs (an iMac Late 2013 running macOS High Sierra 10.13.16 and a MacBook Air 2012 running macOS Mojave 10.14.5), Safari is often unable to play YouTube videos except in fast-forward. Sometimes reloading the video a few times helps, sometimes a reboot is needed. Just relaunching Safari never helps.

To verify whether this is YouTube, Safari or macOS, I tried on the iMac to access YouTube with current version of Google Chrome and Firefox 57.0.4. Google Chrome plays the audio but shows black for the video. Firefox plays the videos with sound but out of sync (and, it seems, with frames missing).

The same issue affects Facebook videos too.

I have ClamXAV and while it did scan a few times during that time period, it never found anything.

Any ideas as to what could be going wrong and how to troubleshoot?