Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should API Secrets Be Hashed?

Tags:

security

asp.net-web-api

api-key

api

It might sound like a silly question, because passwords of course need to be hashed and never store the original.

However, for API secrets, generally I see them displayed in the clear when signing up for them.

For example, if I go to the google api console and look at my credentials page, I can view my client secret, same for twitter.

Surely api keys are just as sensitive as passwords?

Is it just because from the provider side, you can be confident that a sufficiently strong password is being generated? If that's the case, then that doesn't provide any protection is your database is compromised.

Or is it perhaps because if you are using token based authentication, you're either doing password grant type, which requires you to send your credentials along with the client id and secret, or a refresh token, so a user would have already had to have been compromised?

like image 492
Steviebob Avatar asked Apr 02 '17 21:04

Steviebob

People also ask

Should API keys be stored hashed?

So instead of storing the key in plain text (bad) or encrypting it, we should store it as a hashed value within our database. A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it's all safe.

Should client secret be hashed?

Hashing the client secret is recommended for security reasons. One-way hashing of the client secret provides additional security against attackers by hiding the plaintext client secret values from view in both the interface and the database.

Should API keys be encrypted?

Encrypt your tokens in transit. Protocols such as TLS are now standard and you must make sure that tokens are encrypted while transiting from the client, to your server and the rest of your infrastructure. For example, make sure you use a TLS connection between your application and your database too.

Should API keys be secret?

API keys include a key ID that identifies the client responsible for the API service request. This key ID is not a secret, and must be included in each request. API keys can also include a confidential secret key used for authentication, which should only be known to the client and to the API service.

1 Answers

I can imagine a few possible answers to this:

  • In some cases, it may be required for the server to have persistent storage of the plaintext API key in order to satisfy usability requirements (Google and Twitter being examples).
  • In some cases, the API key alone is not enough to do much at all -- additionally one needs to have an authenticated account -- and therefore the API key by itself is of limited value (hence less value than a password).
  • In a number of cases, the API key is hardcoded in a client application (especially mobile applications, which almost always do this) and therefore it does not make sense to add the extra protection on the server side when the same token can be trivially extracted from the client.
  • The security industry is just not that mature yet. Maybe once hackers start dumping API keys, ideas like this may be taken more seriously.

BTW, I am very serious about the last point. The truth is that a lot of good ideas don't become a reality until there is a critical mass of support behind them. As an example, I once blogged about a related topic -- protecting user confidential information by hashing it in the database but in a way that it could be recovered when the legitimate user logs in. I used Ashley Madison as an example -- in that case, the hackers were more after email addresses, phone numbers, and physical addresses than passwords. So when the hackers snatched the database, they immediately had what they wanted, and they could care less about the bcrypt encoded passwords (in fact, some older passwords were encoded with only MD5!) Unfortunately, concepts like this do not have enough of a push to make them a reality. Even zero-knowledge web designs are very few in the real world.

like image 108
TheGreatContini Avatar answered Oct 07 '22 18:10

TheGreatContini
Sign in to Comment

Related questions

Getting image info anonymously through Imgur API in C#
How do we log authentication token requests in ASP.NET Web API
Instagram Auth Broken?
Office 365 mail Inbox folder EXPUNGE failed with IMAP using java mail API
How to protect swagger endpoint in .NET Core API?
RESTful APIs must be stateless, but what about concurrency?
Google Maps Static API - Get SW and NE by center coordinate
401 Error "oauth_problem=nonce_used" Adding Products To Magento w/ Rest API
JAVA using google speech recognition API
Search verb in HTTP API
WooCommerce Webhooks Auth (secret & signature) - how to use
Robustly call a flaky API: proper error handling with Net::HTTP
What is Courtesy limit for Google's API?
Is there a SaaS for logging user activity?
Why would Twitter have deprecated the use of DELETE as a request method in their API?
Create new synced calendar with android api
javascript OCR API [closed]
REST API token authentication
Reverse-engineer a private RESTful API?
Paypal REST API - Description/Item name missing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!