score:5

Accepted answer

As has been said before, you cannot prevent the user from looking at the password in his browser (besides, he's the user, so he knows the password already). It is risky to store the password because it exposes it to local filesystem attacks (against which encryption may be useful, if you use a different key for each user).

You may want to encrypt the password if you don't trust SSL/TLS (for instance, corporate users may be forced to use an insecure HTTP connection to some HTTPS proxy). But in that case, you can instead prove to the server that the client has the password without sending it at all (even encrypted, for which the encryption key would have to be shared with the client over an untrusted network so bad idea) by sending a hash of the password plus some non-secret pseudo-random stuff (and send the pseudo-random stuff too).

That being said, you shouldn't store the user's password in any form on the client-side (when authenticating, you can still send a hash derived from the password, instead of the password itself, in case HTTPS is compromised).

Store a token (such as an OIDC access token) generated by the server after the initial authentication. The token expires (typically ranging from an hour to a couple of days), can be revoked with minimal inconvenience to the user (he doesn't have to create a new password) and is not enough to change the user's password or email (typically the user would have to enter the old password for that) and perform other critical account operations, so the user can at least recover the account even if some damage is done with a stolen token.

score:11

No need for such encryption. It would be pointless to implement your own encryption since HTTPS was created for that exact reason.

score:12

You don't need to encrypt the password in the frontend before sending it to the backend as far as you are using an HTTPS connection and sending it as form parameters. However, you should not store the password in the browser local storage, you could ask your backend a connection token that you will store as the session identifier.


Related Query

More Query from same tag