How to encrypt a password on the client (AngularJS), send it to the server (expressJS) and decrypt it on the server?

Question

I want to encrypt a password on the client (angular.js), send it to the server (express.js) and decrypt it on the server. I would like a simple method. I use $http to POST requests. I know that exits angular-bcrypt library and the same in nodeJS, but not worth for me, because it only has the method compare.

I want something like that:

password = document.getElementById('txtPassword').value;
var xorKey = 129; /// you can have other numeric values also.
    var result = "";
    for (i = 0; i < password.length; ++i) {
        result += String.fromCharCode(xorKey ^ password.charCodeAt(i));
    }

But,I only found the method for decrypting in c#:

public bool Authenticate(string userName, string password)
    {
        byte result = 0;

        StringBuilder inSb = new StringBuilder(password);
        StringBuilder outSb = new StringBuilder(password.Length);
        char c;
        for (int i = 0; i < password.Length; i++)
        {
            c = inSb[i];
            c = (char)(c ^ 129); /// remember to use the same XORkey value you used in javascript
            outSb.Append(c);
        }
        password = outSb.ToString();

       // your rest of code
    } 

Any idea? Thank you very much. :P

Answer 1

Passwords should never be decrypted. They should be hashed with one-way encryption. The server should provide a nonce so that the client returns a different but verifiable answer on each login.

All passwords should be hashed, salted and stretched. If it can be decrypted, it is not safe. See Serious Security: How to store your users’ passwords safely.

My favorite answer:

You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.

You can use following libs:

• jCryption. Client-Server asymmetric encryption over Javascript

Update after 3 years:

• Stanford Javascript Crypto Library

Update after 4 years (Wohoo!)

• CryptoJS - Easy to use encryption
• ForgeJS - Pretty much covers it all

Still not convinced? Neither am I :)

• OpenPGP.JS - Put the OpenPGP format everywhere - runs in JS so you can use it in your web apps, mobile apps & etc.

— Password encryption at client side

See also:

Is it worth hashing passwords on the client side

---

UPDATE March 2017: Consider getting a free SSL Certificate with

https://letsencrypt.org/about/

Answer 2

The only secure way to securely transmit data between client and server is to secure the connection with SSL. What you're essentially doing is just obfuscation, which can be reversed.