Reputation: 1
Is there any way to add sha512 to this php webpage in js for making the site more secure?
I am trying to add sha512 to a page for making the webpage more secure to make it harder for people to brute force the hash to get access to the secret in the url prams
heres the js:
(function() {
const GetPass = function() {
var usrpass = document.getElementById("userPassword").value;
const args = window.location.search;
const urlprams = new URLSearchParams(args);
var password = urlprams.get('password')
var hash = sha256(usrpass)
if (hash==password) {
var info = urlprams.get('secret')
var urle = atob(info)
var sec = decodeURI(urle)
const htm = sec.split("\n")
htm.forEach(function (item, index) {
htm[index] = item + "<br/>"
});
var html = htm.join('')
document.body.innerHTML = (html);
document.title = 'reload to exit'
document.cookie = ''
} else {
alert('Incorrect Password!')
}
};
window.GetPass = GetPass;
})();
I tried using the crypto sha512 library but it errored out same with a function I tried
Upvotes: 0
Views: 71
Answers (1)
Reputation: 1519
If this JS code stays as-is in the user's browser, it is extremely easy to hack and reverse engineer your logic here and brute force your server with the password hashed in the same way.
If you want to protect your JS code, you need to obfuscate it with some obfuscator/minimizer. This can make hacking a little bit harder, but not too much. To make your code really unhackable will take a lot of time and effort and still doesn't guarantee anything.
Just send passwords from the front-end to the back-end as plain text, as most of the major websites do (Google, for example).
Why? Not encrypt it?
Because if a user is just a user, they won't try to hack your password encryption anyway, but if somebody skilled wants to hack your password logic, they will manage to do this anyway in quite a short period of time.
Therefore, just make sure that your website uses HTTPS to protect your login/password in transit and prevent a "man in the middle" attack, and you should be good.
Upvotes: 0
Related Questions
- Are there any style options for the HTML5 Date picker?
- Any way to get possible messages according to the sha512 hash signature?
- Is there a way to more secure a cookie beside the https secure tunnel?
- Is this the right way to start more secure session in PHP?
- Is there any secure way to allow cross-site AJAX requests?
- Does https make this any more secure?
- PHP : Techniques for making database and files secure
- Are there any options for secure email?