How to encrypt a password on the client (AngularJS), send it to the server (expressJS) and decrypt it on the server?

javascript angularjs node.js express encryption

33,566

Solution 1

Passwords should never be decrypted. They should be hashed with one-way encryption. The server should provide a nonce so that the client returns a different but verifiable answer on each login.

All passwords should be hashed, salted and stretched. If it can be decrypted, it is not safe. See Serious Security: How to store your users’ passwords safely.

My favorite answer:

You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.

You can use following libs:

jCryption. Client-Server asymmetric encryption over Javascript

Update after 3 years:

Stanford Javascript Crypto Library

Update after 4 years (Wohoo!)

CryptoJS - Easy to use encryption

ForgeJS - Pretty much covers it all

Still not convinced? Neither am I :)

OpenPGP.JS - Put the OpenPGP format everywhere - runs in JS so you can use it in your web apps, mobile apps & etc.

— Password encryption at client side

Solution 2

The only secure way to securely transmit data between client and server is to secure the connection with SSL. What you're essentially doing is just obfuscation, which can be reversed.

Solution 3

You can use the Stanford Javascript Crypto Library: https://bitwiseshiftleft.github.io/sjcl/. It should work for both Angular and Node.

Beyond that, your best bet is to make sure that you use HTTPS for your connections.

33,566

Author by

Izaskun Peña

Updated on March 10, 2020

Comments

Izaskun Peña about 4 years

I want to encrypt a password on the client (angular.js), send it to the server (express.js) and decrypt it on the server. I would like a simple method. I use $http to POST requests. I know that exits angular-bcrypt library and the same in nodeJS, but not worth for me, because it only has the method compare.

I want something like that:

password = document.getElementById('txtPassword').value;
var xorKey = 129; /// you can have other numeric values also.
    var result = "";
    for (i = 0; i < password.length; ++i) {
        result += String.fromCharCode(xorKey ^ password.charCodeAt(i));
    }

But,I only found the method for decrypting in c#:

public bool Authenticate(string userName, string password)
    {
        byte result = 0;

        StringBuilder inSb = new StringBuilder(password);
        StringBuilder outSb = new StringBuilder(password.Length);
        char c;
        for (int i = 0; i < password.Length; i++)
        {
            c = inSb[i];
            c = (char)(c ^ 129); /// remember to use the same XORkey value you used in javascript
            outSb.Append(c);
        }
        password = outSb.ToString();

       // your rest of code
    }

Any idea? Thank you very much. :P

georgeawg about 7 years

Possible duplicate of Password encryption at client side

MBielski almost 8 years

Very true, but doing so makes it one step harder and is often enough to discourage the casual tinkerer that happened to find the developer panel in his/her browser.
MBielski about 7 years

Wow... have to give you props for covering all of the bases!