I am developing a chrome extension for this non profit. Im also working on the s

Question

I am developing a chrome extension for this non profit. Im also working on the server side component as well. Im not a full time developer so most of my knowledge has simply come from years of collecting random information. One thing this program needs to do is login to the server and retrieve a code unique to the user. Luckily from how its working out in my mind we dont need to store the password, only retrieve and store their unique ID. However we will need to login to get that ID.

So my question, is if I use bcrypt in javascript to hash the password within the extension and then send the email + hash over to the server (via https of course), is there any security risk here? Im not thinking of one off of the top of my head but I just figured I would consult a few people who live in this world on a regular basis. Thanks!

Explanation / Answer

Is there a security risk? No.

Is there a security advantage? No.

Using HTTPS means that the password is protected in transit, and that it is being sent to the server you intend to. Hashing the password client-side and sending the hash gains nothing: an attacker in a position to look inside the SSL tunnel and steal a plain-text password (eg. malware installed on the client) can instead steal the hash and pass it when impersonating the user.

As a side note, there are problems with hashing or encryption in Javascript. Using a browser extension rather than in-page Javascript avoids many of them, but there's still a speed issue: Javascript is slow compared to native code, so you can't afford anywhere near as many rounds of bcrypt hashing.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.