I'm building a system requiring a password. My question is, should I encrypt it frontend or backend? If I do it frontend (with javascript probably) then everyone could crack the encryption = big security issue. But if I do it backend, then the plain password has to be sent somehow which also will create a security hole. So my question is how I should do this properly?

I'm building a system requiring a password. My question is, should I encrypt it frontend or backend? If I do it frontend (with javascript probably) then everyone could crack the encryption = big security issue. But if I do it backend, then the plain password has to be sent somehow which also will create a security hole. So my question is how I should do this properly?

• javascript
• node.js
• encryption

• 3 "how I should do this properly?" - use SSL ? – Mitch Wheat Commented Jan 1, 2014 at 14:33
• 4 use HTTPS/SSL protocol – StarsSky Commented Jan 1, 2014 at 14:33
• Oh, my.. Been working all night, too tired to even think about that xD Thanks alot! – user3054852 Commented Jan 1, 2014 at 14:56

2 Answers 2

You should never try to create your own security protocols or throw around your own crypto. It is remended to use the best standards available. To achieve what you're trying to do, I'd use a standard HTTPS/SSL protocol. And yes, as 'damphat' mentions, salting passwords is crucial, along with latest hash functions.

Your encryption should be on the server. As long as you are sending the plain text password over HTTPS, the password is safe from everyone except the NSA :)