search

ltb-project / self-service-password

Web interface to change and reset password in an LDAP directory
https://self-service-password.readthedocs.io/en/latest/
GNU General Public License v3.0
1.15k stars 325 forks source link

Client side encryption of passwords #181

Open BShadeWork opened 6 years ago

BShadeWork commented 6 years ago

Generally https/SSL is good enough, but when used in public places/computers client side 'hashing' would be nice for this otherwise a quick click on F12/network and anyone can log the client side passwords with no special software.

So (as per https://stackoverflow.com/a/45232435 or similar at https://medium.com/@tikiatua/symmetric-and-asymmetric-encryption-with-javascript-and-go-240043e56daf but not using go!) some kind of client side encryption with public key and asymmetrical key would be good so the password are not 'stored' or 'sent' in plaintext at the client.

Thoughts?  

coudot commented 6 years ago

I understand the way it works but I don't think this is really needed. This will indeed require some javascript and crypto code to encrypt/decrypt on the fly.

I set this to a very low priority.

BShadeWork commented 6 years ago

Yes agree low priority, but is just that I have come across a similar case (web site authentication) and I had to implement this kind of encryption to fix it. I don't think I need it (yet) for self-service-password in my current usage, and if I do I will submit it. Thanks