9

I have created vue components for login and registration. How do I send password to the server?? Should I just encrypt the password using bcrypt on the client side and then send it to Laravel or should I just send the plain password to Laravel and use bcrypt($request->get('password')); What would be a good option?

If I should encrypt the password in the vue component, what package/function should I use so that it will encrypt the password in the same way as Laravel/PHP does??

Pritam Bohra
  • 3,912
  • 8
  • 41
  • 72
  • 1
    1. You *hash* passwords, you don't encrypt them. 2. There is little security benefit to sending the hash instead of the password, as a MitM attack still gets what they need to log in. 3. Use https to secure the password in transit. – jonrsharpe Aug 11 '17 at 06:38

2 Answers2

7

It is not really need to encrypt the password in your javascript code. It is more important to serve your PHP on a HTTPS server.

The data sending between browser and your web server will be encrypted by the SSL/TLS cert.

Here are some guides to setup a HTTPS enabled web server, I assume your php is hosted on NGINX or Apache with php-fpm or apache php modules.

With letsencrypt, it provides a free SSL/TLS cert for your web server to secure the communication between client browser and itself.

kkpoon
  • 1,939
  • 13
  • 23
  • 1
    so can I just send my password as it is using axios after having SSL?? – Pritam Bohra Aug 11 '17 at 06:51
  • 1
    Right, be sure that you have forward/redirect the normal HTTP on port 80 to HTTPS port 443 on your web server, such that user will not accidentally use the HTTP (insecure) to send login info – kkpoon Aug 11 '17 at 06:56
0

It is needed to encrypt password on client side!

  • Leaving user's password unencrypted means that it will be vulnerable to MITM attacks
  • SSL termination very often happens on load balancers, which means plaintext password travels from that point to your web server unprotected, where logging can be enabled by sysadmins, etc.
  • developers or sysadmins should NOT have possibility to get to user's passwords, which will happen if you will not encrypt password on client
user3015279
  • 21
  • 1
  • 2
    can you explain this further? I do not understand, for instance, why a password is susceptible to MITM attacks if the server uses HTTPS and only the HTTPS protocol is enabled (HTTP-only is disallowed)? You can argue that HTTPS is not *particularly* strong encryption, but I feel like that is another argument. *Assuming* HTTPS is sufficiently strong, how does the Man In The Middle attack occur? I genuinely do not understand. – Mike Williamson Jul 29 '20 at 17:26