I need to generate a key with a passphrase in jsp using PBKDF2WithHmacSHA1 algorithms, CryptoJs library, then I use this key to encrypt the user login password and pass to server, and in the server, generate the key again and decrypt the user login password.
I know I should not pass the passphrase or key from client to server through http during login, but can I save the passphrase in login jsp page? if not, how can I use the passphrase to generate key in jsp?
even use a javascript variable to store the passphrase, the user can still use javascript debug mode to watch the passphrase variable value, so I think no method to hidden the passphrase value in jsp, any method?
Or is the design of encrypt login password in client side using javascript has problem?
No.Generate a one-way hash on the server for the user's input (using best practice, including a safe hashing algorithm and salting). Compare any future user input against that hash by generating a new hash with the user's input using the same algorithm, then compare the two hashes