I'm working on a script that needs to use the Github API to allow the user to gain access to their Github account. I'm still really new to web programming, so I'm not really comfortable with how to securely transmit username and password combinations. I'm just wondering what are some of the better, safer ways to ensure that a third-party can't just sniff the network and grab username/password combinations?

I've read up a little on urllib2 and the HTTP handlers, is it safe to use those functions to pass a real user's information to a web site?

Off the top of my head:

  • Use HTTPS, if you can.
  • Authenticate without actually sending the password, as in a challenge/response. This isn't completely safe (e.g. it's still vulnerable to man-in-the-middle attacks), but it's much better than sending a cleartext password.
commented: good link +13