0

I'm building a chrome extension and one of its functionality is to contact my server to store a message on it. Only know users can do it.

My issue is that the way I am doing it is not secured. I have a database on my server on which I store user name and encrypted password.

To send a message to my server, user must write his password each time, the extension doesn't memorize it. If I use XMLHttpRequest to contact my server, I have two choice. I can send:

myServerDomain + '?message=' + myMessage + '&user=' + myUserName  + '&password=' + myPassword

And encrypt password on my server to check if it is the good one.

Or I can send:

myServerDomain + '?message=' + myMessage + '&user=' + myUserName  + '&password=' + myPasswordEncrypted

And directly check on my server if myPasswordEncrypted match with the one saved.

But for both ways, I only have to access the computer of the user, check the google chrome window go to the console then network requests to obtain myPasswordEncrypted or myPassword and then send my own modified request.

How can I secure it?

Nucktrooper
  • 233
  • 1
  • 12
  • Do not encrypt password, hash them with a salt and iterate to achieve a 100ms duration. Use functions such as password_hash,PBKDF2, Bcrypt and similar functions. See OWASP (Open Web Application Security Project) [Password Storage Cheat Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Leverage_an_adaptive_one-way_function). – zaph Jun 21 '16 at 15:11

1 Answers1

1

If a password is making it to your server with no encryption, your doing it wrong. The first thing you absolutely must do is make sure that the password is being sent over HTTPS. After that, you can hash it on the server. Hashing it on the client is near pointless, its a ridiculously easy method to circumvent. See here for more details

Community
  • 1
  • 1
master565
  • 737
  • 1
  • 9
  • 26