Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to store password in angularjs securely

Tags:

javascript

security

angularjs

I'm planning to do a restful login in a non ssl encrypted site by storing the username / password entered by the user into javascript variable.

Everytime the user does a request, my app would first request a token from the server then combined it with the stored $scope.password, hashed then sent to the server for validation. If the validation is correct,then the request will continue, otherwise it will be stopped.

Also, everytime the validation is done, the server creates a new token, whether the it is valid or not.

According to my knowledge, it would be secure if I use immediate functions, but since I'm going to use angularjs, I don't think it is possible, so how do I ensure that the username / password stored in the memory is not hackable?

Thanks.

like image 550
john te Avatar asked Sep 23 '13 13:09

john te

2 Answers

You cannot prevent that someone reads the username and password from the memory, but you could spend some effort on what is send to the server.

You should try to hash the password and username when sending them to the server. Use a salt that is unique to the users session, so it is more unpredictable and requires a full record of the whole traffic.

This will not result in absolute security, but raise the bar for some one else to read everything.

P.S.: I would strongly recommend to use SSL.

like image 96
TheHippo Avatar answered Nov 11 '22 12:11

TheHippo

I think you need to define what you mean by "securely". In particular, define exactly what it is you are trying to defend against and why you aren't protecting against the common attack vectors.

If you are purely trying to protect the physical device against memory reads, then you're out of luck as NOTHING can do that. Yes, there are ways to make it more difficult, but ultimately if they have physical access to the device then nothing you can do will prevent loss.

If you are talking about man in the middle or similar style attacks then by ignoring the best tool in your kit (SSL certs) you have already lost.

The only sites that work by caching and constantly resubmitting the user/pw are ones built by those who have no idea what they are doing because it is a very bad practice.

like image 30
NotMe Avatar answered Nov 11 '22 12:11

NotMe
Sign in to Comment

Related questions

Detect User's Preferred Language and Google Translate Automatically
why does require.js go inside head tag
CSS3 Flickering in Safari 6 on OSX (but this is not the flickering-to-white issue!)
How to wait for an asynchronous method's callback return value?
What is the difference between _.extend(Something.prototype, someObj) and Something.prototype.someFunc = someFunc?
Javascript/web browser threading model
Test if element can be seen by the user on an html page
How many Reflows does attaching a DocumentFragment Cause?
How to create custom CSS3 loading circle?
how to get image true css display property
Maintain cursor position in contenteditable div [duplicate]
Is there a way to tell what direction the state is going with history.js?
using geolocation on google map to group students home by nearest locations to each other?
Check if element is visible in div
Disable the firing of touchcancel in Android Browser
Understanding JavaScript for-loop better
How to retrieve a MediaStream from a Blob url?
How Mega downloads a file?
How to create tabindex groups?
Usage of interceptor within $resource

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!