[swellep]

If you delete it as soon as the user comes online, wouldn't their information be safe? No one else would've been able to get the information because they were offline, right? And so it's not still saved if the user exits the webpage before they return online, you can use SessionStorage.

[tskaiser]

Any situation where a password is persisted, especially in plaintext, can present a security risk. It is one of those things where you don't just guess that it is "safe enough" unless you have thoroughly proven it to be so.

[FLUX-YOU]

It's more that you put the password on the disk in unencrypted format without telling the user. For instance, chrome stores them in sqlite databases which you can just open and select from:

http://i.imgur.com/zauv4sK.png

Your disk could be encrypted, but not everyone's will be. It's better to just localStorage as it was intended.

Plus if you introduce a bug later down the line, you might not prune older localStorage entries, meaning they will stay there for much longer than you want. AND the user may not revisit your site ever again after going offline, which doesn't give you an opportunity to prune it.

[thesimon]

So encrypt the password with your public key before storing it and decrypt it on the server?

[swellep]

So ask the user if they're cool with it being unencrypted, and you're all good? How would you encrypt it though, since you're offline?

[FLUX-YOU]

No one's going to have a lot of confidence if you ask them to store your sensitive info in plaintext. Just don't do it. The convenience or UX isn't worth it.

[tehlike]

No. They can copy the data to another location to send later.

[swellep]

They as in an attacker? But the user is offline. Explain more please.

[Kpourdeilami]

You can have a malware that copies anything stored in the local storage to its own database and transmits to a server as soon as the user goes back online. local storage is just as vulnerable to being read by JavaScript as cookies are.

local storage can be read using JavaScript from the same domain if you control all the JS on the domain, then this shouldn't be a problem. But if any other code is executed (i.e. via injection), they will be able to access the local storage

[fenwick67]

A persistent threat can stay on a device even when it's offline.

Nobody here is saying that an attacker can easily access your domain's localstorage, but just expressing the sentiment that "storing plaintext passwords is bad in almost any case".

Just like you can store plaintext passwords in your application database, and theoretically they are safe, but if a bad guy gets in your users are screwed, not just on your site but on others.

[tehlike]

Exactly. In the very worst case, if local storage is to be used for storing password, it should be stored with asymmetric cryptography so that encryption is done with public key, but decryption can only be done with private key which is stored in the server (And not on the client). With a proper key rotation scheme, this could be an OK solution.

[kamikaz1k]

In your response, who is the "they"?

[tehlike]

attacker who might have gained access to same domain privileges through code injection.