Password encryption when HTTP is logged on

The System design landing page, need to be cautious. Because the login data is transmitted over the network, it is likely to be intercepted halfway.

The best way to login is to use HTTPS, so the network transmission is secure. Google,baidu,alibaba use HTTPS in the same way.

But the general corporate Web site, does not necessarily go to deploy HTTPS. So we have to consider encryption in the transmission process, to avoid the login data is too easy for others to crack.

Users enter the user name, password, click Login, before submitting data, we should consider using JS to encrypt the password (such as Base64,hash, etc.). In this way, the encrypted password is transmitted on the network, which brings some difficulty to the interception.

Example code:

<script type= "Text/javascript" >
$ (document). Ready (function () {
$ (' #formlogin '). Submit (function () {
var password=$ (' #passwordId '). Val ();
var ENCRYPTEDPW = base64.encode (password);
$ (' #passwordId '). Val (ENCRYPTEDPW);
return true;
});
});
</script>

But these are just simple encryption.

A more perfect solution is to encrypt using AES (Advanced encryption). Before each login, a random key is requested from the server, and this key is treated as an AES key, resulting in the encrypted string. This can greatly improve the security of the landing.

But it also poses a problem. Is the need to have JS and Java support the same decryption function function. This is very simple to say, when people really develop their own time to know that you want to JS and Java compatible with the same encryption and decryption function is not easy. JS Cross-browser support, coding, Java anti-decryption, session problems, not a few days of debugging is not done well.

Interested people can study the following JS class library.

Https://github.com/ricmoo/aes-js

Password encryption when HTTP is logged on