Encrypting password at client side and then decrypting it before calling login action

Dear All,

I have a requirement of hashing/encrypting the password at client side, as the password can be seen in plain text in the browser using developer mode or using tools like burp suite. Based on my research so far it can be done by calling the java script at Login page to encrypt the password and then decrypt it before calling User_Login method which is called on Login button.


Since I have very little exposure to Java script, I am having a tough time to implement the same. Could you please advise on the sample code to achieve this requirement.

Thanks for your help!

Regards,

Zubair



Hello Zubair.

If you're using HTTPS, the password will already be encrypted while in transit to the server. So you won't gain any extra security by encrypting it again.

The password can only be seen in clear text in the same browser the user typed it in. So we're talking about a user typing in a password, then the same user opening developer tools and reading the password? I don't think it's a security risk to let the user read its own password.

And, if you want to make sure the password cannot be read even by using developer tools, then I'm going to say that someone with access to developer tools could simply hijack your javascript encryption function and store the clear text password before encrypting it. Developer tools has all the privileges to change javascript code.


The only advantage I see in that extra encryption layer is to protect against super-powerful organisations, such as governments that could compromise root CA certificates, or develop some attack on the SSL protocols. That has happened in the past, with NSA eavesdropping on SSL traffic. Is that your scenario?

Hello Leaonardo,

Thanks for your response. 

Yes we are using https in the application url, we are just trying to add a security layer to avoid browser or malware attacks which can compromise the user password.

Thanks,

Zubair

Hi Zubair,

Never ever try to "add a security layer" when you have clearly no clue as to what "security" actually is. Leave that to the experts :). As Leonardo already wrote, trying to do what you do does not give any extra security, and symetric encryption isn't very secure to begin with.

Zubair, a malware would likely listen for keyboard events. Encrypting a password using javascript would not make your application more secure.