Reputation:
Improving security with JS
I’m trying some little ideas, and I’ve hit a snag.
At the moment, when a user logs in, their password is stored in a variable which is handled later. Obviously all one has to do to get hold of the password is to go into the developer tools or console or whatever and add a statement like alert(pass.value);.
I know this is unrealistic but its been bugging me. Is there any way of detecting an alert statement and scrambling the password somehow? A regex or string replace?
Thanks!
Upvotes: 0
Views: 80
Answers (2)
Reputation: 143007
If you want to have a secure system, don't store the password on the client side. There is absolutely nothing you can do in JavaScript that will prevent somebody from accessing the password if it is stored in a JavaScript variable.
All of your authentication should be handled on the server side. If you are storing passwords somewhere, do not store them in plain text, and do not use a home-brew encryption method. Cryptology is full of minefields and it's very easy to get something wrong, and I would recommend using a well thought-out system like bcrypt.
Upvotes: 6
Reputation: 3970
I would advise against keeping any kind of credential information client-side. One viable solution that's easy to implement is is a security token password. A simple process would look like this:
- User access website. Informs credentials.
- Website validates credentials. Creates temporary token associated with user ID, stores it client-side.
- User access website. Informs token.
- Token is validated against storage, user identified.
Upvotes: 0
Related Questions
- Javascript security on a server
- Javascript Security
- Securing Javascript (server side?)
- securing javascript source code
- Securing pure Ajax/Javascript client
- Security in JavaScript Code
- Javascript: How to secure your code
- securing data used in java script file
- Security Concerns on clientside (Javascript)
- How to isolate unsecure JavaScript code