Move the Password Securely to the Server

We’ve established that the user needs to set a strong password and have covered how to store it. How do you move it from the web browser to the server? The first step, of course, is to use HTTPS. In fact, you should use HTTPS not just on login and registration pages but for the whole site. You will need HTTPS for login and registration pages to prevent man-in-the-middle attacks that try to steal passwords, but if you don’t use HTTPS for the whole site, your session can still be stolen. This is discussed in length in Chapter 8, Focus on Session Management.

Second, do not send a plain-text password to the user’s email as a reminder. If the application is generating the password on the user’s behalf, then ...

Get Secure Your Node.js Web Application now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.