What security threats does btoa() in javascript help me with?

Question

Let's say I have an authentication method where I do a http post to get a token from server:

$http({
     method: 'POST',
     url: '/Token',
     processData: false,
     contentType: 'application/x-www-form-urlencoded',
     data: "grant_type=password&username=" + UserName + "&password=" + Password
...

Here I send the username and password as clear text.

If I instead encrypt my username and password with the javascript function btoa() (which is well used and recommended to be used How can you encode a string to Base64 in JavaScript?) like this:

$http({
     method: 'POST',
     url: '/Token',
     processData: false,
     contentType: 'application/x-www-form-urlencoded',
     data: "grant_type=password&username=" + btoa(UserName) + "&password=" + btoa(Password)
...

What security threats does this really help me with? I mean, the fact that my javascript code is reachable for anyone on my website it's possible to find the script which calls btoa(). Then they can just decrypt the username and password with atob() and I'm back to square one.

security thru obscurity. also it is not encryption. – Daniel A. White Apr 11 '16 at 12:55 — Daniel A. White, Apr 11 '16 at 12:55

score 4 · Accepted Answer · answered Apr 11 '16 at 13:12

The btoa() and atob() functions does not provide any security improvements, since they are not encrypt/decrypt but just encode/decode data to text representation and back to the original look. Usually the functions are used for binary data, like images, etc.

Having a string encoded with btoa() anyone can easily decode it with its opposite function. Doesn't sound secure, does it ;)

What security threats does btoa() in javascript help me with?

1 Answers1