Home > front end >  How to hide manager password from user on web app?
How to hide manager password from user on web app?

Time:12-19

I am creating a web app on a LAMP stack where I have users with their own logins and passwords. Typical users of the application have limits on operations. For example they cannot approve an order over $5000. If there is an order over $5000, they have to get a manager to come to their desk and enter in his/her username and password to approve the order.

I can easily create a form for the manager to enter his/her credentials into an HTML password input, but here is the problem. When the manager enters their credentials into the browser, the password field is hidden from the user. But when the form is submitted, the password is transmitted in clear text. In theory, a user could get the password by using F12 or by looking at the POST.

I wanted to hash the passwords before submitting the form, but the problem is that PHP stores the passwords using BCRYPT, and javascript can only digest with SHA.

So basically my question is. How can I ensure that the manager password is hidden from the user and they cannot get it?

CodePudding user response:

javascript can only digest with SHA

I'm sure you could find implementations of bcrypt in client-side Javascript…

That won't really solve your problem though. If the password is hashed client-side, then the server cannot hash it further and needs to accept the hash as is to compare it directly to the stored hash. Which in essence means, the hash becomes the password, so the user could send the same hash again to the server and pass the test.

Further, bcrypt should be using random salts, so in order to recreate the same hash, the server would need to send the used salt to the client so it can create the correct hash. This is all madness.

Instead, you probably want some sort of challenge protocol. The idea being that the value the client sends to the server is different every time, so even if the attacker sees the value, they cannot reuse it. For this purpose the server would make up some random value, send that to the client, the client calculates some answer given the password and the random value, and sends only that to the server. A rough overview of different algorithm can be found at MDN and elsewhere.

This still won't solve the issue of the attacker installing some keyboard logger, or simply overriding some Javascript handler to log the entered password to the console before answering the challenge. In the end, if you don't trust the attacker and the attacker has full control over the system the password is entered into, there's nothing much you can do.

  • Related