How to encrypt a password on the client (AngularJS), send it to the server (expressJS) and decrypt it on the server?
Solution 1
Passwords should never be decrypted. They should be hashed with one-way encryption. The server should provide a nonce so that the client returns a different but verifiable answer on each login.
All passwords should be hashed, salted and stretched. If it can be decrypted, it is not safe. See Serious Security: How to store your users’ passwords safely.
My favorite answer:
You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.
You can use following libs:
- jCryption. Client-Server asymmetric encryption over Javascript
Update after 3 years:
Update after 4 years (Wohoo!)
Still not convinced? Neither am I :)
- OpenPGP.JS - Put the OpenPGP format everywhere - runs in JS so you can use it in your web apps, mobile apps & etc.
See also:
Is it worth hashing passwords on the client side
UPDATE March 2017: Consider getting a free SSL Certificate with
https://letsencrypt.org/about/
Solution 2
The only secure way to securely transmit data between client and server is to secure the connection with SSL. What you're essentially doing is just obfuscation, which can be reversed.
Solution 3
You can use the Stanford Javascript Crypto Library: https://bitwiseshiftleft.github.io/sjcl/. It should work for both Angular and Node.
Beyond that, your best bet is to make sure that you use HTTPS for your connections.
Izaskun Peña
Updated on March 10, 2020Comments
-
Izaskun Peña about 4 years
I want to encrypt a password on the client (angular.js), send it to the server (express.js) and decrypt it on the server. I would like a simple method. I use $http to POST requests. I know that exits angular-bcrypt library and the same in nodeJS, but not worth for me, because it only has the method compare.
I want something like that:
password = document.getElementById('txtPassword').value; var xorKey = 129; /// you can have other numeric values also. var result = ""; for (i = 0; i < password.length; ++i) { result += String.fromCharCode(xorKey ^ password.charCodeAt(i)); }
But,I only found the method for decrypting in c#:
public bool Authenticate(string userName, string password) { byte result = 0; StringBuilder inSb = new StringBuilder(password); StringBuilder outSb = new StringBuilder(password.Length); char c; for (int i = 0; i < password.Length; i++) { c = inSb[i]; c = (char)(c ^ 129); /// remember to use the same XORkey value you used in javascript outSb.Append(c); } password = outSb.ToString(); // your rest of code }
Any idea? Thank you very much. :P
-
georgeawg about 7 yearsPossible duplicate of Password encryption at client side
-
-
MBielski almost 8 yearsVery true, but doing so makes it one step harder and is often enough to discourage the casual tinkerer that happened to find the developer panel in his/her browser.
-
MBielski about 7 yearsWow... have to give you props for covering all of the bases!