Reputation: 1898
how to secure my javascript client in which users will fill their passwords
How I have a basic javascript registration form which sends the password that an user has filled to a secure axis2 web service (which stores the salted hash of the password in a database).
Mu question is - is there ANY WAY the password to be cracked before it's send to the server as the user enters plain text password and it's hashed on the server side.
How can I secure my javascript client and can you recommend some libraries.
Thank you in advance
Upvotes: 2
Views: 135
Answers (3)
Reputation: 16188
The passwords are sent in plaintext, and can be easily sniffed/spoofed via man in the middle attacks like ARP posioning (in which someone on the same subnetwork as you or your client can sniff and manipulate packets).
Get an SSL certificate and enable HTTPS for your website (instructions for apache here).
For some more details on why there's no point securing stuff on the client side, see my answer here. Basically, unless there is a certificate-based trust system like in HTTPS, an attacker can always spoof whatever encryption protocol you try by modifying keys on the fly or removing the encryption code from the javascript.
Upvotes: 5
Reputation: 119827
Unless the connection is in HTTPS, the password is sent in plaintext. There is no client-side code that can help you with that.
Upvotes: 1
Related Questions
- generate a secure password in javascript
- How to implement client side password protection for web content?
- How to secure a login system
- Securing Javascript (server side?)
- Web Authentication - how to securely transfer username/password from the client to the server
- Javascript Password Protected area.. must be better way
- Storing user's password for web application in client-side JavaScript - is this secure?
- Client side 100% secure password POST
- Secured Client-Side script
- Password protected website with JavaScript