I need to authenticate a user using a remote site. I've never done anything like this before, so I'm not sure of the security implications. The remote site will have passwords hashed, but I'm not sure whether I need to be sending the entered password hashed or not. Would calling GET on a url like this be insecure?
Maybe it would be better to call
OR maybe it should just be
And then I can compare the hashed password to the hash returned in the response (I don't like that idea because that means anyone could get the hashed password for any user if they know the username).
Some advice here would be much appreciated. I'm also open to using an existing standard if it's easy to implement.