0

I am using angular for login & signup and encrypting the password with the crypto-js and the password is also getting encrypted from backend side(here the encrypted key of crypto-js is getting encrypted by backend(Java) and stored in database).

Now the question is how i match the password for login(because whenever i am logging in it's showing httpStatus= BAD_REQUEST, description= password not matched) ? is there any frontend angular method to decrypt the string of backend ? or any other solutions ?

I have tried multiple ways to encrypt the password same as available in the backend, but failed !

Ayush Vishwakarma
  • 1
  • 1
  • 1
    You dont want to have any secrets in your frontend. Your BE should do the heavy lifting. – Philipp Meissner Dec 13 '22 at 16:38
  • You can't have the frontend make the decision about whether a password is valid or not because you don't control the execution environment. It cannot be trusted. At all. Ever. Also, [don't encrypt passwords but hash them instead](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html). – Peter Dec 13 '22 at 16:38
  • You should not be able to retrieve clear text password, use a one-way hash like bcrypt. When user tries to login, you regenerate the hash and compare. Holding the clear text password in the client is VERY insecure. – Taylor Dec 13 '22 at 16:39
  • Holding a clear text password in a client may be mandatory for functionality. Just think of a JDBC client. At most you can have an encrypted version of that on disk. Better use some vault. – Queeg Dec 13 '22 at 16:44

1 Answers1

0

The encrypted password should be non-decryptable.

What usually happens is that the passwords get hashed. Of course you need to use the same algorithm as you did when setting the password to ensure that the hash values are the same.

See also How can I hash a password in Java?

Queeg
  • 7,748
  • 1
  • 16
  • 42