3

We're currently developing a web-application that needs to decrypt data stored on the server with the user's password. The main goal is to not ask the user again for his password so the idea is, after login, store the password in a global JavaScript variable to have access to it later on when downloading and decrypting the files. Somehow I don't like the notion of keeping the password around, but from a marketing perspective the higher priority is convenience.

Am I just being paranoid or is this a possible security problem? If this could be a security problem, how can I implement this in a safe way that does not interfere with the convenience factor?

edit

Data is encrypted on the client when uploading and shall be decrypted on the client after the download. The user's password is stored on the server hashed with SHA-256.

Improve this question
7
  • You want to have the password available offline? Commented Sep 5, 2013 at 14:34
  • 6
    Never, ever, ever store a password in JavaScript, a cookie, or localstorage. Commented Sep 5, 2013 at 14:34
  • 2
    It would probably be better to store a token generated with the password. What are you using for the server? Commented Sep 5, 2013 at 14:34
  • Something that might be an enlightening read while we are on the topic: torrentfreak.com/… . Basically how Mega stores the user master key in localStorage. Commented Sep 5, 2013 at 14:36
  • 2
    Do not store it in javascript. If it's possible to exploit a XSS vulnerability in your site, the password could be sent to the attacker. Commented Sep 5, 2013 at 14:36

2 Answers 2

Reset to default
1

Have you considered using Session variables? They are much more secure.

And if you need to stick to client side JavaScript, I think you can store them in cookies.

However, I'm not sure what you are really trying to achieve for your app.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The cookies have the same security level than a simple javascript variable. It is really easy to read them, for the user, or for a hacker who would have succeeded an XSS attack.
Exactly, cookies are not secure, and I never said they are secure. But you shouldn't be storing the password anywhere in the first place. Please read the Answer thoroughly before commenting.
0

Have you considered creating an object that handles the decryption that has private access to the password, via the module pattern?

http://www.adequatelygood.com/JavaScript-Module-Pattern-In-Depth.html

Improve this answer

10 Comments

It doesn't secure the process. This only helps the developpers to have variables less accessible.
When you say 'less accessible', are you saying that the variable is still able to be obtained by code other than that declared within the closure? If so, and for my own personal enrichment, I would like to know how?
In javascript, every variable is global. I don't know how your library really works, but you can be sure that the data it contains can be available with another name.
Open up developer tools and you can see and access anything in your client-side code.
It's very simple, really. You should never store sensitive data client-side since it is fairly easily accessible to anyone. If you have a closure that decrypts this password, anyone will be able to see the password if they simply open up their developer tools and set a breakpoint.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.