9

I have created vue components for login and registration. How do I send password to the server?? Should I just encrypt the password using bcrypt on the client side and then send it to Laravel or should I just send the plain password to Laravel and use bcrypt($request->get('password')); What would be a good option?

If I should encrypt the password in the vue component, what package/function should I use so that it will encrypt the password in the same way as Laravel/PHP does??

Improve this question
1
  • 1
    1. You hash passwords, you don't encrypt them. 2. There is little security benefit to sending the hash instead of the password, as a MitM attack still gets what they need to log in. 3. Use https to secure the password in transit. Commented Aug 11, 2017 at 6:38

2 Answers 2

Reset to default
7

It is not really need to encrypt the password in your javascript code. It is more important to serve your PHP on a HTTPS server.

The data sending between browser and your web server will be encrypted by the SSL/TLS cert.

Here are some guides to setup a HTTPS enabled web server, I assume your php is hosted on NGINX or Apache with php-fpm or apache php modules.

With letsencrypt, it provides a free SSL/TLS cert for your web server to secure the communication between client browser and itself.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

so can I just send my password as it is using axios after having SSL??
Right, be sure that you have forward/redirect the normal HTTP on port 80 to HTTPS port 443 on your web server, such that user will not accidentally use the HTTP (insecure) to send login info
0

It is needed to encrypt password on client side!

  • Leaving user's password unencrypted means that it will be vulnerable to MITM attacks
  • SSL termination very often happens on load balancers, which means plaintext password travels from that point to your web server unprotected, where logging can be enabled by sysadmins, etc.
  • developers or sysadmins should NOT have possibility to get to user's passwords, which will happen if you will not encrypt password on client
Improve this answer

1 Comment

can you explain this further? I do not understand, for instance, why a password is susceptible to MITM attacks if the server uses HTTPS and only the HTTPS protocol is enabled (HTTP-only is disallowed)? You can argue that HTTPS is not particularly strong encryption, but I feel like that is another argument. Assuming HTTPS is sufficiently strong, how does the Man In The Middle attack occur? I genuinely do not understand.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.