How to store password in angularjs securely

I'm planning to do a restful login in a non ssl encrypted site by storing the username / password entered by the user into javascript variable.

Everytime the user does a request, my app would first request a token from the server then combined it with the stored $scope.password, hashed then sent to the server for validation. If the validation is correct,then the request will continue, otherwise it will be stopped.

Also, everytime the validation is done, the server creates a new token, whether the it is valid or not.

According to my knowledge, it would be secure if I use immediate functions, but since I'm going to use angularjs, I don't think it is possible, so how do I ensure that the username / password stored in the memory is not hackable?

Thanks.


You cannot prevent that someone reads the username and password from the memory, but you could spend some effort on what is send to the server.

You should try to hash the password and username when sending them to the server. Use a salt that is unique to the users session, so it is more unpredictable and requires a full record of the whole traffic.

This will not result in absolute security, but raise the bar for some one else to read everything.

PS: I would strongly recommend to use SSL.


I think you need to define what you mean by "securely". In particular, define exactly what it is you are trying to defend against and why you aren't protecting against the common attack vectors.

If you are purely trying to protect the physical device against memory reads, then you're out of luck as NOTHING can do that. Yes, there are ways to make it more difficult, but ultimately if they have physical access to the device then nothing you can do will prevent loss.

If you are talking about man in the middle or similar style attacks then by ignoring the best tool in your kit (SSL certs) you have already lost.

The only sites that work by caching and constantly resubmitting the user/pw are ones built by those who have no idea what they are doing because it is a very bad practice.

链接地址: http://www.djcxy.com/p/16154.html

上一篇: 没有Java(JRE)/(JDK)...没有虚拟机

下一篇: 如何安全地在angularjs中存储密码