What are the security implications of storing passwords in Javascript variables?

Question

I'm developing a web app which needs good security. In the present design, a number of user actions need the user to re-send their password (or else the server will have to store it in plain text, at least temporarily).

Much user interaction happens through AJAX requests. Rather than have the user re-type the password for each, I'd like to do something like this:

var password_plain = document .getElementById ("password") .value;

ajax ("/login.php", {password: password_plain, username: ...});

// later

ajax ("/api.php", {password: password_plain, action: ...});

Assume for the sake of the argument that the design is sensible in general, for example

• the server does not store or leak the plain text password,

• SSL is properly set up

• the client Javascript periodically checks that we are still logged in and sets password_plain=null if the session expires (and clears the DOM value)
• the server itself is secure

The threat model is that the attacker doesn't have physical access to either the client or server machine, and cannot run arbitrary code on either, but can entice the user to visit malicious other web pages in the client's browser.

Is the password safe in a javascript variable?

Answer 1

It depends.

If you don't enclose your scopes properly, a third party script can read and modify your variables during execution (assuming it's kept for more than one event-loop tick), however, that's a bit of an edge case. As long as it's done within any sort of function or module, and you don't have an XSS vulnerability right next to it, you're golden.

There are also questions about programs who can look at memory and stuff, but that's also irrelevant because if the user has such things on their computer, your JS code is the least of their worries.

I will add however that it's not recommended that you transmit the password over and over again, you normally want to authenticate once, get some sort of one-time token (like a session token), and use that for authentication during the session. Unlike passwords, sessions are easily invalidated server-side when something goes wrong.

What is important is:

• HTTPS: Don't transmit passwords over the wire if they aren't encrypted. Hashing or encrypting them client-side isn't a viable solution.
• XSS or SQL Injection - Basically any kind of transition from one language to the next is dangerous. Make sure to escape rigorously right before generating statements in one language with another.
• Plain text passwords in the database - This is more of a server issue, basically, always use a strong cryptographic hash to store passwords in the database

Answer 2

Consider the fact that session IDs are stored in cookies and sent to the server with every request. Sound familiar? It's pretty much exactly what you're doing, but with the password instead of a session ID.

Personally I would recommend using proper sessions, but if you want a "stateless" system then what you have here should be fine, assuming as you are that everything else is "sensible" (HTTPS especially)

Answer 3

No, it's absolutely not safe in a JavaScript variable. If you're storing it locally, then cross-site scripting attacks (XSS) could compromise and steal your users' credentials in plain text.