How to store password in angularjs securely

All we need is an easy explanation of the problem, so here it is.

I’m planning to do a restful login in a non ssl encrypted site by storing the username / password entered by the user into javascript variable.

Everytime the user does a request, my app would first request a token from the server then combined it with the stored $scope.password, hashed then sent to the server for validation. If the validation is correct,then the request will continue, otherwise it will be stopped.

Also, everytime the validation is done, the server creates a new token, whether the it is valid or not.

According to my knowledge, it would be secure if I use immediate functions, but since I’m going to use angularjs, I don’t think it is possible, so how do I ensure that the username / password stored in the memory is not hackable?


How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

You cannot prevent that someone reads the username and password from the memory, but you could spend some effort on what is send to the server.

You should try to hash the password and username when sending them to the server. Use a salt that is unique to the users session, so it is more unpredictable and requires a full record of the whole traffic.

This will not result in absolute security, but raise the bar for some one else to read everything.

P.S.: I would strongly recommend to use SSL.

Method 2

I think you need to define what you mean by “securely”. In particular, define exactly what it is you are trying to defend against and why you aren’t protecting against the common attack vectors.

If you are purely trying to protect the physical device against memory reads, then you’re out of luck as NOTHING can do that. Yes, there are ways to make it more difficult, but ultimately if they have physical access to the device then nothing you can do will prevent loss.

If you are talking about man in the middle or similar style attacks then by ignoring the best tool in your kit (SSL certs) you have already lost.

The only sites that work by caching and constantly resubmitting the user/pw are ones built by those who have no idea what they are doing because it is a very bad practice.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply