Encrypting password for pushing into form? html or javascript

Question

I have a corporate intranet that is locked up to only our users. A boss has demanded that through our intranet you have to be able to click yourself into one of our other web services. I have "solved" the issue by using this:

<script type="text/javascript">
  function autoClick () {
    document.forms["PM"].submit();
  }
window.onload = autoClick;
</script> 
<form id='PM' action='https://ourwebapp.corporate.com/login' method='post'>
       <label for='username'></label>
        <input id='username' type='hidden','text' name='username' value='serviceaccountusername'/>
        <label for='password'></label>
        <input id='password' type='hidden','password' name='password' value='Serviceaccountpassword'/> 
        <input type='hidden','submit' value='Log in' />
    </form>

This sends the user directly into the other web service when clicking through. I know its an ugly hack and definitely shouldn't be done. However, i have little choice i feel. Whatever.

I still want to encrypt the password in case of any malicious users look at the code and take the service account password in plain text.

The website currently supports java script and HTML. I guess that java script is the code of choice here, how would i accomplish this? Any hints or solutions?

Answer 1

The best method, as always, is using TLS. This will protect the data, including password in transit. If this is not supported by the server you can set up an SSL proxy, possibly using self signed certificates.

Without TLS you cannot fully protect against attack, as any pages - including JavaScript - may be intercepted and changed by the attacker.