gun.user.recall() stores password as plain text in sessionStorage without encryption
I want to apply gun.user in my project.
When I store the user in sessionStorage using user.recall(opt),
This code in sea.js stores password in tmp without encryption.
Is it okay? or..
Should I encrypt password before calling .auth?
Here is my code.
jq('#up').on('click', (e) => {
let form = check();
if(!form){ return }
S.user.create(form.alias, form.pass, (ack) => {
if(ack.err){ return S.tell(ack.err) }
check.up = true;
S.user.auth(form.alias, form.pass, logined);
});
});
jq('#in').on('click', (e) => {
let form = check();
if(!form){ return }
S.user.auth(form.alias, form.pass, logined);
});
let logined = (ack) =>{
if(ack.err){ return S.tell(ack.err) }
S.user.recall({sessionStorage: true});
}
+
I found the document about user.create().
Passphrase that will be extended with PBKDF2 to make it a secure way to login.
However, there is plane text in my session storage.
gun version is 0.2019.515.
@huhsame , great concern! (And btw, incredible GUN AR/VR demos on your twitter!)
Browsers require domain-based security which sadly limits P2P security.
Unfortunately, sessionStorage is the safest best browser option:
- Credentials are not shared with servers (like cookies do).
- It keeps a user logged in on refresh.
- It deletes the credentials if you close the tabs.
Between page loads, encrypting the password is a good idea but the problem is, to keep the user logged in, the decryption key also has to be stored. :(
Storing credentials in localStorage is unsafe, which is why sessionStorage is better.
Warning! Unless you use a Browser Extension (below) or Browsers adopt better solutions, an XSS leak can compromise credentials from
sessionStorage- but even if you disable it, credentials can be pulled from in-memory without an Extension to protect accounts.
PBKDF2 is used during the login process, not session management - again, it could be used there as well, but has the same limitations as above.
Even
sessionStoragedoes not work well for keeping users logged in.
As a result, you should consider other solutions. I've written more about other options here:
Keeping a Gun DB user authenticated during a session
Better Security
For the best security, users would sadly need to install a browser extension, like our http://party.lol tool, until Browsers adopt this type of security natively, or offer better user-centric session management.
- Does phpMyAdmin AllowNoPassword work with MySQL databases?
- How can I tell password managers what pattern to use?
- Creating a password in Bash
- Minimum amount of uppercase chars | Password generator
- How to reset the root password in MySQL 8.0.11?
- Protecting against MitM (https) seeing password with encryption using included pub. key in iOS/Android app
- Java 1.5 Command Line Password Masking
- How to add a special character to A Password Validation Form
- Unable to login to GitHub account even with correct credentials
- What are Salt Rounds and how are Salts stored in Bcrypt?
- Your password does not satisfy the current policy requirements
- Is there a way to crack the password on an Excel VBA Project?
- Setting and Declaring Global Constant
- Email password reset link does not work with deployed React application
- What password hash type or method does blazor web app use by default
- Where in the filesystem does Firefox store saved passwords?
- Regex for Password with repetitive pattern
- Intellij IDEA - view saved password
- How to write .netrc for two accounts for skipping typing password when to git push?
- Changing the symbols shown in a HTML password field
- Removing passwords from .Docx files using Powershell
- Symfony dont respect Active Directory constraint
- Change WooCommerce default password security level
- Edit password update email to user with password in wordpress
- Password Generating program in python
- Manage password complexity in Youtrack
- Base64 Authentication Python
- MySQL root password change
- Issue with gcloud compute reset-windows-password using service account in Google Cloud
- Node.js hashing of passwords