What Happens to Your Password After You Click Login

Most developers never show you what happens on the server after you authenticate. In this video we use Burp Suite — the same tool we use when auditing client applications — to intercept a real login request and inspect what the server sends back.

We test two applications side by side. The first returns 799 bytes of data including the password hash, the user role, internal database fields, and a JWT token that anyone can decode in seconds. We then crack the MD5 hash live on crackstation.net and recover the plain-text password immediately.

The second application — built to guwAPI standards — returns 39 bytes: a confirmation and a user ID. Nothing else reaches the client. No hash, no role, no internal data. We walk through the three architectural decisions that make this possible: credential hygiene in logs, explicit response construction, and generic error messages that prevent user enumeration.