Most HTTPS authentication relies on TLS encryption; the password is typically sent in plaintext within the encrypted channel.
However, there’s an interesting mechanism to authenticate without sending a password directly to the server. The caveat is that it requires some initial setup on the server side.
If you first establish a username and password with the server, then for subsequent authentications, the server can send you a nonce. You respond with something like:
hash2(hash1(username$salt$password)$nonce)
The server does not need to store the raw password. It can store hash1(username$salt$password) instead.
As long as neither the server nor your device is compromised, no third party can recover hash1(username$salt$password).
Additionally, only you and the server can compute hash2(hash1(username$salt$password)$nonce)
, making this a secure method of proving identity without revealing credentials.
Interestingly, a similar mechanism is used in RTSP (Real-Time Streaming Protocol). When a client sends an initial request, it may be rejected with a 401 Unauthorized response. This response includes a nonce and a realm—which acts like a salt. For example, the realm might be something like IPCamera(AB123).
The client then sends an authenticated request, such as:
DESCRIBE rtsp://192.168.1.123:554/ RTSP/1.0
CSeq: 7
Authorization: Digest username="admin", realm="IP Camera(AB123)", nonce="[nonce]", uri="rtsp://192.168.1.123:554/", response="[digest response]"
This is known as Digest Access Authentication(wiki), standardized in RFC 7616, and also used in RTSP (RFC 7826). It ensures the password is not sent directly, only a digest derived from it.
References: