![]() ![]() For example, if a user (let's call him Bob) signs up and requests an API key, you will give him a key (e.g. This is a private key that you can send with each request that the program can look up in the database and correlate to a particular user. ![]() This is why we don't store credentials like this in transit. WEP was an old network security protocol that ended up being replaced due to its intrinsic weakness to be able to get the password from a packet (beacon) without even being authenticated with the network. But you can make it more secure by using temporary credentials, and why would you not, if the cost is reasonable? In fact, it may even be acceptible in many scenarios. So as you can see, sending the username/password in each request is not a direct vulnerability. This of course may or may not be acceptable from a user experience point of view - but security is always a balance. It's usually better if the user enters credentials, receives a temporary token and the client forgets about the actual password until the token expires and the user has to provide his password again. Storing sensitive stuff on the client is not usually a good idea, opens up possibilities for an attacker. You need to store the password on the client if you want to send it with each request. The same as above, it's much better if he can only observe temporary ids instead of actual passwords. If you have an attacker already on the server, he may not be able to access the database to directly read/modify credentials, but he may be able to observe the web server process for a limited time. Internal attackers are also something to consider. It's still good, but at least not the password. If it's just a temporary API key (or a session id or whatever), that's less value for the attacker. If the webserver receives the user password all the time, it will be in memory probably multiple times. A while ago there was a vulnerability in the openssl implementation where you could practically read parts of the server memory (the webserver process). Server vulnerabilities can also be a problem. If he only decrypts an API key that has been obsolete for 3 years, fine, but if it's a user password. Chances are not very high, but the problem is, with many TLS cipher suites, an attacker can record traffic now, and decrypt it later (because it takes long, or the method is not yet invented). For some time though, it may be possible for an attacker to deduce bits from an encrypted stream, which may be made easier if the encrypted content is partially known (ie. It does happen from time to time that a new attack against TLS is disclosed, which is then patched eventually. Sometimes there are weaknesses in SSL/TLS. You don't need to run this risk in an API app, however, sending it in every request or not barely modifies this risk, but it does a little bit, because of the next point. If you have many users, many will have passwords like 123456 and similar. However, you should still probably not do it in most cases, for at least the following reasons. There is absolutely no difference in this regard. You are totally right, a password could be sent the same way as an API key on each request, you can revoke it the same way, etc. An API key is even worse in a sense, because depending on implementation, you would typically store API keys plaintext in the database, as opposed to properly hashed passwords (sidenote, but please use something like bcrypt or pbkdf2 when hashing). Technically, a username/password is pretty much the same as something like an API key, they are equivalent for the time they are valid. Sending username/password in each request is not advisable, but the other answer does not even touch on the real reasons why. ![]() This would make a great security interview question, because it measures very well the level of understanding in the security domain. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |