Submitting passwords via ajax

Question

given the following scenario: We have a html form for changing an account's password. It looks like this:

CurrentPassword:   __________________
NewPassword:       __________________
NewPasswordAgain:  __________________

We want to send this request via an ajax call. If we send it and we leave our computer (without logging out and staying on the exact same page) someone could open the webkit inspector (or firebug) and see something like this:

http://cl.ly/3y213W1q0U2y2e251k0O

What would be your solution for making this more secure? Is it even possible using an ajax call here or would it be better to use a "normal" html form which reloads the whole page after sending?

Answer 1

Using a "normal" html form has the same problem, as packet sniffing could reveal the same data in a POST or GET header just as easily.

The best solution I can think of is to encrypt the password user-side via javascript. You don't really have to worry about the "what if the user has javascript disabled?" case since, in that case, the AJAX request won't go through either. Obviously this may have ramifications regarding how you store the password, but it will allow you to continue to use AJAX requests for the password update.

Answer 2

The author is not interested in encrypted connections here. He may as well be doing that already. What he wants is to be able to hide the password (and username) from any one who has an access to the computer, and can open the inspector tools to view the networking that occurred on the page.

One of the simplest things you could do is to refresh the page in case the authentication succeeded.

Something that you should do is to refresh the page whenever the user pressed "log out". This should clear all previous network data.

The less good options are about encrypting, obfuscating and hashing the password prior to sending it.

Hashing the password on client-side is not ideal because this prevents the use of hashed passwords with keys on the server-side (think HMAC). HMAC'd passwords are the best, because the key is kept on the filesystem whereas the salt is kept on the database. Cracking the password hash requires a rather solid access to the system.

Obfuscating and encrypting the password can be reversed. If someone sees a login request on the Webkit Inspector, he might be very interested in spending the time to undress your defenses.

I highly recommend refreshing the page at some point to avoid the problem entirely. Other options do not seem as good.

Answer 3

Encrypt the password on transport and make sure the calls you are making are being done over SSL!