Geek Answers Handbook

How to store password securely in angularjs

I plan to make an unforgettable login on an unencrypted ssl site by storing the username / password entered by the user in a javascript variable.

Each time a user executes a request, my application first requests a token from the server, and then combines it with the saved $ scope.password, hashed it, then sends it to the server for verification. If the check is correct, the request will continue, otherwise it will be stopped.

In addition, each time a check is performed, the server creates a new token, regardless of whether it is valid or not.

According to my information, it would be safe if I used direct functions, but since I am going to use angularjs, I do not think it is possible, so how can I guarantee that the username / password stored in memory is not hacked?

Thanks.

+7
javascript angularjs security
source share
2 answers

You cannot forbid someone to read the username and password from memory, but you could spend some time on what is sent to the server.

When sending to the server, you should try to hash the password and username. Use a salt that is unique to a user session, so it is more unpredictable and requires a complete record of all traffic.

This will not lead to absolute security, but lift the panel so that someone else reads everything.

PS: I would highly recommend using SSL.

+2
source share

I think you need to determine what you mean by "safe." In particular, determine what exactly you are trying to defend against and why you are not defending against conventional attacks.

If you are trying to protect a physical device from being read in memory, you are out of luck as there is NOTHING to do. Yes, there are ways to make it harder, but ultimately, if they have physical access to the device, then nothing you can do will prevent the loss.

If you are talking about men in the middle or similar attacks of the type, then, ignoring the best tool in your set (SSL certificates), you have already lost.

The only sites that work by caching and constantly re-adding the user / pw are those that do not know what they are doing, because it is a very bad practice.

+1
source share

More articles:


All Articles