I have the following use case:
My web application is used for creating prescriptions. When I send the prescription creation request to the government API it is signed with the current user's certificate. The certificate is stored on the application server and is encrypted with a password which only the user knows. Users want to be able to store their password in my app temporarily so that they don't need to paste it in for each prescription they create.
What would be the most secure way to store this password? Couple of ideas:
-
Local storage in the browser.
Bad because anyone with an access to the user's device can see the password even if they're not logged in. Also if the app is not running I have no way to clear the password if the desired storage time expires.
-
Frontend app memory.
Bad because if user refreshes the page or opens another tab the stored password is gone.
-
Backend, in database
This sounds like the best option because I can encrypt the password. Is it even worth encrypting though? I would have to encrypt it with some key stored on the same machine so if someone gains access to this machine the encryption doesn't matter because they would be able to decrypt it quite easily.
Aucun commentaire:
Enregistrer un commentaire