Saturday, June 7, 2014

Re: Making browser save userneme & password

I wouldn't think so. Then you have to decrypt it, and where do you do that? In your JavaScript? Or you could use the old UNIX approach--never decrypt, just apply the matching 2-character salt and see if the encrypted words match. But exposing the salt allows for dictionary/brute force techniques to break the password.

As I said, I don't store passwords. I don't let my browser do so and I don't use an password management tool (except to speed testing on a few, inside the firewall machines). If my customers choose to, well... (I'm recalling a fellow who wrote the vault combination on the back of his business card; <shudder>.) I tend to be fatalistic about security--if it's online, it can (eventually) be found and cracked, and there are folks a whole lot smarter than me to do it.

On Saturday, June 7, 2014 10:06:45 AM UTC-4, Blake wrote:
I don't suppose encrypting it before saving it to local storage is very effective, is it?


On Sat, Jun 7, 2014 at 1:34 AM, Thomas Broyer <t.br...@gmail.com> wrote:


On Saturday, June 7, 2014 5:31:51 AM UTC+2, Blake wrote:
Thanks a lot for your input!  I thought about doing it this way, and I like it a lot for all the reasons you state.  This would be the best and easiest approach.  My only problem with it was that I fear security.  I really don't understand cookies and local storage well.  I could encrypt the password.  I just don't understand if an app from another site can just read my local storage.  Do you have any comments about that concern?


DON'T DO THAT!
Your fears are well-founded. The only secure way to store a password is in a password manager (the one from the browser, or something like LastPass or 1Password).

With this approach, if there's an XSS vulnerability anywhere in your site (not only the login page, not only the GWT app) it could be exploited to read the localStorage.
Similarly for cookies, which is why cookies should never be readable by scripts (i.e. should have the HttpOnly flag) unless it's really needed (which should never be the case when the cookies are about security).

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)