0

I've never seen any example of this and I'm just curious why? Why is it not okay just to pass it through HTTPs + encoded in a JWT? I will not be storing the password anywhere on the client side, I will just be reading it once. I'm pretty sure it's not okay but why exactly is the reason?

rahc01
  • 1
  • 1
  • 1
    Security rule number one when processing passwords is to never store it anywhere unless there is no alternative. A random token for authentication is always better than the password. A password is property of the user, handle it with care! – Robert Dec 13 '21 at 20:23
  • *"A random token for authentication is always better than the password."* - and a token which has a limited expiration is even better than that. You need to assume that protections might be incomplete or have bugs, sothe question is what can be done when the secret if exposed. A password might provide access to multiple sites (problem of password reuse), a random token limits access only to this site and with expiration added even for a limited time only. – Steffen Ullrich Dec 13 '21 at 21:48
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Dec 14 '21 at 03:41

1 Answers1

1

Short answer: The password is a secret. Every time you share (transmit) a secret, you risk it.

Longer answer:

  1. You should avoid storing the password on the server in the first place, so this shouldn't be possible (use salted hashes or something better).

  2. There is no reason to send the password to the client. The user should already have the password. If they don't, the password should be reset, not shared. The client shouldn't need the password.

  3. If multiple operations require authentication, typically you would use a separate / distinct / random / limited-time-use token stored on the client, not a password.

Hypothetical:

You suggest using HTTPS + JWT for sending the password. Assume perfect security for this transmission. How do you know the client system has not been compromised between the login and you sending the password back? This would mean that the password was transmitted from the client to the server in secret, but that when you send the password back to the client, the password was compromised, permitting the attacker to authenticate as the user going forward, with no-one the wiser.

Slartibartfast
  • 266
  • 1
  • 4