Move the Password Securely to the Server
Weâve established that the user needs to set a strong password and have covered how to store it. How do you move it from the web browser to the server? The first step, of course, is to use HTTPS. In fact, you should use HTTPS not just on login and registration pages but for the whole site. You will need HTTPS for login and registration pages to prevent man-in-the-middle attacks that try to steal passwords, but if you donât use HTTPS for the whole site, your session can still be stolen. This is discussed in length in Chapter 8, âFocus on Session Managementâ.
Second, do not send a plain-text password to the userâs email as a reminder. If the application is generating the password on the userâs ...
Get Secure Your Node.js Web Application now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
