https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/77005#M4502 <P>Hi Steve,</P> <P>As <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;has already said, using API Key for authentication is better than just username/password in terms of security.</P> <P>This authentication method complies with the industry standards due to:</P> <UL> <LI>128-bit length make it a super challenging task to guess it</LI> <LI>randomly generated, so prevents from re-use between different environments</LI> <LI><SPAN>prevent the users' account being compromised if the user name is public</SPAN></LI> <LI><SPAN>prevent a leaked key from identifying the user in any way</SPAN></LI> </UL> <P>Whatever method you choose, there are many tools existing on the market to keep a key or user credentials safely:</P> <P>open-source applications, dedicated hardware modules, cloud-based solutions.</P> <P>Examples: HashiCorp Vault,&nbsp;Keywhiz,&nbsp;AWS Secrets Manager.</P> <P>Of course, to integrate your API-based application with one of these tools, you'll be requested to provide a master password in some way.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 03 Mar 2020 16:08:19 GMT Alex_Mitsevich 2020-03-03T16:08:19Z https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/76912#M4493 <P>Hello,</P><P>Is there a way to secure the credentials used in the following API call:</P><P>curl --silent -X POST -H "Content-Type: application/json" -k -d @login.json <A href="https://&lt;fw" target="_blank">https://&lt;fw_mgmt_srv&gt;</A>/web_api/login</P><P>The login.json is a clear text file. Anyone familiar with best practices on how to secure the file contents?</P><P>Much appreciated,</P><P>Steve</P> Mon, 02 Mar 2020 22:04:54 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/76912#M4493 Steve_Bihari 2020-03-02T22:04:54Z https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/76920#M4494 In R80.40, you can use API keys instead of credentials, which is slightly better but has the same fundamental issue: it needs to be stored either in plaintext or in a manner that can be easily reversed.<BR />Not sure how folks are handling this. Tue, 03 Mar 2020 01:48:48 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/76920#M4494 PhoneBoy 2020-03-03T01:48:48Z https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/77005#M4502 <P>Hi Steve,</P> <P>As <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;has already said, using API Key for authentication is better than just username/password in terms of security.</P> <P>This authentication method complies with the industry standards due to:</P> <UL> <LI>128-bit length make it a super challenging task to guess it</LI> <LI>randomly generated, so prevents from re-use between different environments</LI> <LI><SPAN>prevent the users' account being compromised if the user name is public</SPAN></LI> <LI><SPAN>prevent a leaked key from identifying the user in any way</SPAN></LI> </UL> <P>Whatever method you choose, there are many tools existing on the market to keep a key or user credentials safely:</P> <P>open-source applications, dedicated hardware modules, cloud-based solutions.</P> <P>Examples: HashiCorp Vault,&nbsp;Keywhiz,&nbsp;AWS Secrets Manager.</P> <P>Of course, to integrate your API-based application with one of these tools, you'll be requested to provide a master password in some way.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 03 Mar 2020 16:08:19 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Web-API-and-encrypting-login-credentials/m-p/77005#M4502 Alex_Mitsevich 2020-03-03T16:08:19Z