Reputation: 635
Cache password in JavaScript for later use, securely
We're currently developing a web-application that needs to decrypt data stored on the server with the user's password. The main goal is to not ask the user again for his password so the idea is, after login, store the password in a global JavaScript variable to have access to it later on when downloading and decrypting the files. Somehow I don't like the notion of keeping the password around, but from a marketing perspective the higher priority is convenience.
Am I just being paranoid or is this a possible security problem? If this could be a security problem, how can I implement this in a safe way that does not interfere with the convenience factor?
edit
Data is encrypted on the client when uploading and shall be decrypted on the client after the download. The user's password is stored on the server hashed with SHA-256.
Upvotes: 3
Views: 1479
Answers (2)
Reputation: 51
Have you considered creating an object that handles the decryption that has private access to the password, via the module pattern?
http://www.adequatelygood.com/JavaScript-Module-Pattern-In-Depth.html
Upvotes: 0
Reputation: 1818
Have you considered using Session variables? They are much more secure.
And if you need to stick to client side JavaScript, I think you can store them in cookies.
However, I'm not sure what you are really trying to achieve for your app.
Upvotes: 1
Related Questions
- generate a secure password in javascript
- How to securely store password in local storage
- Front-end-side encryption: Where to store password throughout session?
- How to save tweaked password to browser?
- Are passwords stored in memory safe?
- Storing user's password for web application in client-side JavaScript - is this secure?
- Password storage for authentication
- Encrypting Password
- Javascript - Best way to encrypt data with password
- Password hashing (non-SSL)