Reputation: 189
Password storage for authentication
I'm trying to create basic password protection for a web page that doesn't have to be super secure, but I don't want to do something as simple as store the password in JS as someone with half a brain could view source. (I work with engineers, so everyone who would use this has at least half a brain!)
Someone else suggested doing it through an AJAX call to a PHP script which stores the password.
Is this really any better? Can't you view the network resources, ie using Chrome, and view the PHP file?
I tested the above using Chrome and did an inspect element and then under the 'Network' tab there was the file titled 'Passwords.txt' which i created...
I was thinking that I could store the passwords encoded only. But i'd need something that only worked one way... Ie you type in daveisawesome1234 and it encodes to something unintelligable like OIWBOUQ#BP@#BR@FBNSAION. This way if you see the 'Passwords.txt' file with OIWBOUQ#BP@#BR@FBNSAION in it you couldnt just type that in. Problem with that is you'd just need to read the code to figure out how I encoded it...
Is there a simple method that will accomplish what I'm looking for? I'm always learning, so please DO NOT suggest any libraries. I want to learn to code this myself.
Thanks in advance, Dave
EDIT:
Ok, I want to try something out. I created a very basic page to test out 4 password 'encryption' methods. Let me know if you figure out the passwords, and how you did it.
Here's the link: http://dck.dx.am/locktest/locktest.html
@Pointy: This should also illustrate what I was saying about being able to view the PHP file...
Please feel free to provide insights or offer up alternative methods.
Thanks, Dave
Upvotes: 1
Views: 116
Answers (1)
Reputation: 559
You can't view the PHP file from a browser unless the server is misconfigured. PHP is usually executed in the server, and the output is sent to the client. As long as the password isn't part of the output, it's relatively safe. That's the proper way to do it (the password shouldn't be embedded in the code, but it's not that bad if it's just for a quick-and-dirty project).
On the other hand, checking the password in the browser, no matter if it's "encoded", is never a good idea, as it would be pretty easy to bypass. Client-side security is no security.
As for "something that only worked one way", that's what hashing algorithms are for.
Upvotes: 1
Related Questions
- generate a secure password in javascript
- What is the best way to store passwords and IDs in JavaScript?
- Are passwords stored in memory safe?
- Storing user's password for web application in client-side JavaScript - is this secure?
- Cache password in JavaScript for later use, securely
- How can I store user name and password securely on a shared server?
- Encrypting Password
- How to store passwords securely when using different authentication mechanisms
- Javascript - Best way to encrypt data with password
- Password hashing (non-SSL)