How to properly secure password in AngularJS

Question

I was recently reading the following article about Techniques for authentication in AngularJS applications. His concept is pretty similar to how I would normally approach this process, but the way that the password is being binded to the controller in clear text seem like a security flaw to me and I was wondering what are better ways to approach this?

<input type="password" id="password" ng-model="credentials.password">

One way, I would think, is to encrypt the bound passwords on the controller? is there a way to do that?

Answer 1

My 5 cents into the discussion:

1) Controller exists only while your login view exists. Once you've submitted the login info, you are typically changing the view, thus destroying the controller.

2) Even if it would exist for the whole duration of the session, one would need fairly complex scheme with xss to get to the data.

3) Also, you have a number of items to minimize the risk even further:

• use https

• use signed server certificates on the server side

(if you use https, then browser should not allow you to issue an ajax call to an http resource, and https requests will fail if certificate is not sigend and exception was not added for the site)

4) Finally, you may consider using oAuth for authentication, if server supports it.

5) Ofc. it all depends on the level of security your application requires. If you are really concerned about somebody getting their hands on the password, while a person is away from the machine, then a different authentication approach should be considered such as: client certificates (on smart cards) or additional 1-time codes, or something similar.