0

What is the best way to encrypt the login details (username and password) of any web based application using JavaScript at client side?

My requirement is to encrypt the username and password of the login page of the web application using JavaScript and this encrypted data needs to be used further at a later stage of the process.

Any help would be appreciable.

Regards...

Chirag
  • 89
  • 2
  • 12
  • 3
    Use [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) to send it to your backend. – str Jun 26 '17 at 19:09
  • You could encrypt username and password with AES. However that requires a password... – Jonas Wilms Jun 26 '17 at 19:14
  • Thanks for suggesting the above approach. Is there any other approach (other than AES) which can encrypt the data in the client side executing the JavaScript? – Chirag Jun 26 '17 at 19:32
  • @Chirag There are many ways to encrypt something somehow. I doubt that encrypting will help you in any way. Encryption has a specific purpose which doesn't match with your use case. – Artjom B. Jun 26 '17 at 22:00
  • If you're using only symmetric encryption you need the exact same key at the server and the client. If you send the encryption key from the server to the client or the other way around you need to encrypt your symmetric encryption key. The easiest way to do this would be to use TLS. If you use TLS, then the data as well as key are encrypted, so you don't need to encrypt it yourself. This doesn't provide any security, just a little bit of obfuscation. You should read: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/ – Artjom B. Jun 26 '17 at 22:00
  • If you're using asymmetric encryption, you need to make sure that the public key that is delivered to the browser can be trusted. This is not an assumption that can generally be made, because any kind of JavaScript code can be injected into a HTTP connection. You would need HTTPS (with TLS) to protect the public key from being changed, but if you have that, you don't need JavaScript encryption anymore. – Artjom B. Jun 26 '17 at 22:03

2 Answers2

0

You should be encrypting login creds in your backend.

I recommend Crypto-js. There are instructions for both client side and server side.

OCeesay
  • 21
  • 3
0

Client side: you can use some of the functionality of crypto-js. Also, you will most likely not be able to use it later on because while encrypting, a "salt" would be added to your variable and hashed together with it - rendering it a compare only value (using the hash comparing function)

It is advisable to encrypt data on your back-end though.

andrewkiri
  • 135
  • 5
  • Thanks for suggesting the above approach. However, I don't want to use my data to be encrypted to the backend. The encryption is required to be done at the client-side only. – Chirag Jun 26 '17 at 19:34
  • As mentioned above, you can use crypto-js – andrewkiri Jun 26 '17 at 19:35