How to tell if a webapp transmits my password in cleartext?
There are two reasons to ask if your password is being encrypted:
- You are worried about the security of the site.
- You are worried about the security of your password.
Regarding site security, with no HTTPS, there is effectively none. You should consider every communication with the site as public and assume that an attacker can pretend to be you. Just use the site with care.
Regarding the security of your password, without SSL, it doesn't really matter. Someone can steal your session cookie and pretend to be you without knowing your password. So be sure not to reuse the password on other sites (or reuse any password ever) to prevent a password exposure on this site from compromising your accounts on other sites.
Edit In response to your concern about ARP spoofing, without SSL, it may be possible that they establish a MiTM. Once they do that, they can see the cookie. Without deeper inspection of the web site, I cannot tell you if the cookie leaks your password. Perhaps it is securely encrypted, perhaps not. That said, once they have an MiTM, they can alter the JavaScript that is sent to your browser. This would allow them to alter what is sent on the wire, thereby getting your password. And, while I can't be certain without further examination, that cookie is looking to me like a pass the hash vulnerability. If that is the case, then there is no need for them to steal your password as the cookie's value is as good as a password. All of this boils down to, without SSL,there is no security.
What you got there is 232 hexadecimal digits, or 116 bytes of data. It is not a plain text string in any normal encoding. It could be a hash of your password, it could be your password encrypted, it could just be some kind of easily reversible obfuscation. Or it could be something completely different from your password, like a session identifier. It could be anything. Without knowing your password or the code the webapp uses it is hard to tell.
But if you are worried about the safety of your password when it is on the wire, it really doesn't matter. What matters is that you use HTTPS.* If you use HTTPS, everything sent between you and the server will be encrypted anyway. If you don't, there is no way to guarantee that a man in the middle can't steal your password, no matter what kind of encryption you try to do on the client.
Usually the only encryption used when sending a password to the server is the one that HTTPS provides.
That said, keeping the password in a cookie (wheater or not it is in plaintext, encrypted, hashed or just obfuscated) is a bad idea. Anyone with access to your computer could steal the cookie, and if the cookie is not HTTP-only an XSS vulnerability could be used to steal it as well.
* Given that it is good HTTPS - that the certificate is valid, you use a modern version of TLS, etc, etc. The same caveats that always apply.
When you want to eavesdrop on the communication between your web browser and a server, you can often do that with the developer tools of your web browser (usual hotkey: F12). Most browsers will have some kind of Network tab where all network communication between the current website and the internet is logged in cleartext.
When you find your cleartext password anywhere in there and it's not a https connection, that's a bad sign (when it is https, the browser will show you the data unencrypted, even though it was encrypted when sent on-the-wire).
But even when you find an encrypted/hashed password in there you won't know if it is good cryptography. You generally can only tell by using cryptoanalytic techniques until you figured out how the encryption works or if you reverse-engineer the javascript code on the website to find out how it works.