-1

I have an web application which have a mini javascript function which access API which needs username and password for authentication. I call the api like the script below.

var api_result = api.auth('myusername','mypassword').get({ some statement });

My problem is what is the best way to encrypt the username and password?

Because at chrome browser this message is being returned:

This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar. For more information.

Nisarg Shah
  • 14,151
  • 6
  • 34
  • 55
Anthony
  • 55
  • 1
  • 6
  • First - `Don't call it a password`. Second - **Hash** the **salted**-user entered value and then send it via `post` request. – gurvinder372 Sep 27 '17 at 06:22
  • To encrypt and decrypt username and password use sjcl link: https://github.com/bitwiseshiftleft/sjcl – Ajit Soman Sep 27 '17 at 06:23
  • Use AES encryption in your JavaScript code..check this https://stackoverflow.com/questions/793812/javascript-aes-encryption – Gurunatha Dogi Sep 27 '17 at 06:24
  • 2
    @gurvinder372 whats the usecase of salting it on the frontend??? – Jonas Wilms Sep 27 '17 at 06:28
  • I have no control to the api application. is there a other way to do it? I am afraid that i cannot be authenticated due to hashed string. – Anthony Sep 27 '17 at 06:35
  • @Jonasw you can recover original value from hashed un-salted value, see this example http://md5decrypt.net/ – gurvinder372 Sep 27 '17 at 06:37
  • @Anthony — I suspect the warning is about your page and not the API – Quentin Sep 27 '17 at 06:38
  • 1
    @gurvvinder372 whats your point?? It does not make sense to encrypt data in the frontend. A safe tunnel aka `https` is the only thing we can do to improve security. – Jonas Wilms Sep 27 '17 at 06:38
  • 1
    @Jonasw https cannot prevent exposure of your password completely https://security.stackexchange.com/questions/101721/is-it-possible-for-corporation-to-intercept-and-decrypt-ssl-tls-traffic?noredirect=1&lq=1 .... Even admin shouldn't be able to recover your password.. If https was the `only thing we can do to improve security` things like salted-hash, csrf, etc wouldn't be designed at all. – gurvinder372 Sep 27 '17 at 06:44
  • 1
    @gurvinder372 READ AGAIN! The OP has no control of the backend. – Jonas Wilms Sep 27 '17 at 06:46
  • 1
    @Jonasw I read `My problem is what is the best way to encrypt the username and password?` Are you sure you are reading the same question? – gurvinder372 Sep 27 '17 at 06:49
  • 2
    @gurvinder372 — It is very important that you read the *whole* question and not just cherry pick a single sentence from it to answer. (Also, please stop using the markup for code to indicate emphasis). – Quentin Sep 27 '17 at 06:49
  • @Quentin I didn't gave any *answer*, did I? – gurvinder372 Sep 27 '17 at 06:51
  • @quentin thanks :) – Jonas Wilms Sep 27 '17 at 06:52

1 Answers1

0

This page includes a password or credit card input in a non-secure context. A warning has been added to the URL bar.

You are getting that warning because your website is not using HTTPS and is instead using HTTP. HTTPS creates a encrypted tunnel between client and server, which prevents network sniffers from stealing important user data. More Info.

Here's proof the warning he is getting is due to HTTPS.

Lars Peterson
  • 1,508
  • 1
  • 10
  • 27
  • 1
    MD5 is a hashing algorithm, it doesn't do encryption. It is also extremely weak and should not be used anymore at all. – Quentin Sep 27 '17 at 06:30
  • @LarsPeterson — Why mention it at all then? – Quentin Sep 27 '17 at 06:32
  • @Jonasw — It isn't, but the way they should get encryption is to use HTTPS and not be distracted by red herrings like MD5. – Quentin Sep 27 '17 at 06:33
  • @quentin yep. Hiwever as the OP edited it would be fair now to remove the downvotes ... – Jonas Wilms Sep 27 '17 at 06:34
  • 1
    Re edit: "The are hundreds of ways to encrypt data. More Info." — That's an article that focuses on encrypting data stored on a hard disk. It has absolutely nothing to do with what the question is asking about. – Quentin Sep 27 '17 at 06:34
  • Re edit: (You changed the more info URL): The question is asking about sending data over HTTP, not about storing it in a database. They're even using a third party API so they have no access to the database. – Quentin Sep 27 '17 at 06:40
  • @Quentin _My problem is what is the best way to encrypt the username and password?_ I was not aware he was only talking about `HTTPS` until now. – Lars Peterson Sep 27 '17 at 06:41
  • @LarsPeterson — If you didn't recognise it, then putting the error message quoted in question into a search engine would have given you the context needed to understand that. – Quentin Sep 27 '17 at 06:45
  • @Quentin I understood he was talking about `HTTPS`, however when I saw him ask about the username and password, I though he meant storage encryption. – Lars Peterson Sep 27 '17 at 06:50