Current location - Quotes Website - Personality signature - Postal data encryption problem
Postal data encryption problem
First of all, there are two common ways at present.

Browser-side security controls, Taobao, banks, etc. This method has the advantages of high safety factor and large investment.

Using ssl to complete login has a general safety factor and low investment (ssl certificate is required).

As for sending it after encryption with js, it is meaningless in principle. As you said, js is plain text, which is not difficult to crack.

If the application to be developed has security requirements, ssl is recommended. If the security requirements are very high, please select security control.

In fact, for 80% of websites, the security of login information is not important, especially the probability of leakage caused by package grabbing is extremely low. Because the technical threshold for grabbing bags is still very high, if the value of stolen accounts is not high, few people will do it. Just like Weibo, QQ, etc. The service provider only provides all kinds of secrets and does not provide much protection for the account submission process.

99% of account loss problems come from Trojans, which steal by monitoring keyboard events, and js can do nothing about this behavior. Even the two encryption methods mentioned above are the same.

For ordinary websites, it is usually required to authenticate the user's secure mailbox, and it is enough to reset the password through the secure mailbox when the password is lost. It is not recommended to try additional functions such as password retrieval and ID card binding. Unless your website is strong enough, people with a little security knowledge will not enter their mobile phone numbers and ID cards on inexplicable websites. Similarly, even if you provide security controls, many people may not choose to install them because you can't prove that the security controls you provide are safe.

Don't think it's too easy to grab a bag. Who knows when users log in, where they come from and where they send them? You can't stare at it 24 hours a day. It's not even worth thousands of dollars. He didn't waste his effort to meet a man who could steal information in this way. Do you think he will be interested in tens of thousands of dollars? Unless someone pays him to maliciously attack your website. It's also simple, just pay attention to backup at ordinary times. It is similar to the probability of flood and earthquake.