-2

Help me with decision. I have jsp page with password field:

<div>
   <label for="p">Password:</label>
   <input type="password" name="pass" id="p" />
</div>

I need (on client side) to encrypt to MD5, for example, and send to servlet. I don't want to use jsp scriptlets, because it is not best decision in JAVA. Maybe somebody know how to write js function?

sati_17
  • 9
  • 1
  • 1
  • 3
    What's the point in encrypting the password on the client side? – moritzg Jun 14 '17 at 12:53
  • 1
    and, MD5 is no encryption, it's a hashing algorithm – Thomas Jun 14 '17 at 12:54
  • 3
    MD5 is hashing not encrypting (and is a poor choice for the former anyway) If you want to securely pass data from the client to the server use HTTPS, thats what its for. – Alex K. Jun 14 '17 at 12:54
  • Did you search MD5 JavaScript.... but not sure what the point is – epascarello Jun 14 '17 at 12:54
  • Recent browsers have a crypto API that you might like: http://caniuse.com/#feat=cryptography, yet, what's the point of it? – sjahan Jun 14 '17 at 12:55
  • 1
    Client-side encryption using JS is mostly pointless: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/ – Haroldo_OK Jun 14 '17 at 12:56
  • Possible duplicate of [Password encryption at client side](https://stackoverflow.com/questions/4121629/password-encryption-at-client-side) – Haroldo_OK Jun 14 '17 at 12:56
  • Do not encrypt the password on the client side, send the password to the server over HTTPS. On the server side iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use a function such as `PBKDF2`, `Rfc2898DeriveBytes`, `password_hash`/`password_verify`, `Bcrypt` or similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. – zaph Jun 14 '17 at 13:56
  • 1
    You've tagged this question with the ssl tag, and SSL is the answer. Curious. – Omid Reza Heidari Jun 14 '17 at 13:59
  • @snip1377 there is no ssl tag. – zaph Jun 14 '17 at 14:00

1 Answers1

0

You need a library that can encrypt your input on client side and transfer it to the server in encrypted form.

You can use following libs:

  • jcryption . Client-Server asymmetric encryption over Javascript

Update after 3 years:

Update after 4 years (Wohoo!)

you can use this too:

runs in JS so you can use it in your web apps, mobile apps & etc.

Omid Reza Heidari
  • 658
  • 12
  • 27