Encrypting/decrypting password when authenticating to user/session


#1

I haven’t been able to find any documentation on encrypting the password value that is passed to /user/session. Do server side scripts support including a third party library like CryptoJS or would I need to roll my own? If I need to roll my own does DSP have support for reusable server-side scripts that can be used across multiple endpoints?


#2

What is your reasoning for wanting to encrypt the password sent to /user/session, are you not connecting via SSL?

I don’t believe that server-side scripting currently has any additional libraries accessible other than Lo-Dash.


#3

@leehicks More out of general paranoia than anything else - SSL hasn’t had the best year :wink: Also as a way to explore server-side scripts.

After doing some additional planning on this I’m going to end up storing the passwords hashed and hashing them on the client before sending them off. This should cover my concerns


#4

Maybe I am mis-reading the below:

After doing some additional planning on this I’m going to end up storing the passwords hashed and hashing them on the client before sending them off. This should cover my concerns

If you did it this way, the password being sent would match the password being stored so your hashing, how ever good, would be worth nothing. You might as well send and store a plain text password.

On the client side, if connecting with SSL, the connection is encrypted so there is no requirement to hash it. If you hased it in javascript client side, you will clearly be able to see your hashing methods and manipulate as required… Server side, salt and a good algorithm would be good enough.