0

I am working on an app that encrypts user's data with user's password on the client side without sending/sharing the password to the server. User needs to encrypt data across pages and I don't want to ask user password each time that he needs to encrypt his data.
One option I have to make my application a single-page application but it's a lot overhead. Another option is to use sessionStorage which stores data across pages for a session but I am not sure if it's as secure as an in-memory variable in a single-page app.

iman
  • 199
  • 1
  • 14
  • you really shouldn't be storing a password at all in the browser. You should look into getting a token and storing that instead. – Austin Dec 30 '16 at 20:27
  • Have you considered [Cookies](http://www.w3schools.com/js/js_cookies.asp)? – Chris Dec 30 '16 at 20:27
  • The thing is that I need to encrypt data using password itself so I can't hash it and I can't send it to server. – iman Dec 30 '16 at 20:28
  • 1
    There is no secure way to store password locally. – Siamak Motlagh Dec 30 '16 at 20:32
  • Duck, I updated my question with consideration of sessionStorage, thanks – iman Dec 30 '16 at 20:46
  • Session storage is still client-side and thus still not secure. Also, as a side note - it's not going to work across different tabs. – VLAZ Dec 30 '16 at 20:50
  • @iman ah ok. It's been awhile since I have done security so standards may have changed, but I always stored hashed passwords in a database to authenticate against and the first thing I would do (after cleaning it for injection, etc.) is hash the password the user entered. If the hashes match then the passwords match. You could even salt them for added security. This way you never have to store a plaintext password, just the hash. – Chris Dec 30 '16 at 20:51
  • @duck Hashing is good solution for server side authentication however I am using this password for encrypting data on client side and not for authentication so I need the full password in clear text when I need to encrypt on client side. – iman Dec 30 '16 at 20:55
  • there's nothing inherently insecure about the client side. localStorage/sessionStorage data get saved to the user's HD, so that's a concern. `window.name` afaik does not get saved to disk, and temporarily persists across pages and even domains. you can also implement `SharedWorker`s to talk between tabs, which keeps the "central store" in RAM. a SPA is also good for keeping it in RAM, obviously. PS: hashing and storing passwords is outmoded, use a key-derivation procedure instead. – dandavis Dec 30 '16 at 21:02

0 Answers0