If I'm using Forms Authentication running on standard HTTP, when the user enters their username & password into the login ASP.net form, can this info be captured (excluding key logging software), so is their data secure?
Authentication running on standard HTTP, when the user enters their username & password into the login ASP.net form, can this info be captured?
Short Answer: Absolutely. Everyone and anyone can capture this information once it is submitted.
Long Answer: Anyone and every can see all traffic using the HTTP (or HTTPS) protocol. However, through the provided security (encryption) afforded by HTTPS, that data would not be of any value to someone that can't decrypt it.
Therefore, if your login form is submitting user credentials (as well as loading the login form, but I'll come back to that in a moment) over HTTP, that user's data is insecure and can be captured as it is being sent plain text.
But be aware, as important as it is to send sensitive data (such as credentials) over HTTPS, its just as important to load the login form over HTTPS as well.
Why?
Because, while the form is being loaded over HTTP, it allows for man-in-the-middle (MiTM) attacks, and say, inject a keylogger). So even though they submit their credentials over HTTPS, the damage was already done, when they were inputting their credentials.