Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Web API and encrypting login credentials

Jump to solution

Hello,

Is there a way to secure the credentials used in the following API call:

curl --silent -X POST -H "Content-Type: application/json" -k -d @login.json https://<fw_mgmt_srv>/web_api/login

The login.json is a clear text file. Anyone familiar with best practices on how to secure the file contents?

Much appreciated,

Steve

1 Solution

Accepted Solutions
Highlighted
Employee
Employee

Hi Steve,

As @PhoneBoy has already said, using API Key for authentication is better than just username/password in terms of security.

This authentication method complies with the industry standards due to:

  • 128-bit length make it a super challenging task to guess it
  • randomly generated, so prevents from re-use between different environments
  • prevent the users' account being compromised if the user name is public
  • prevent a leaked key from identifying the user in any way

Whatever method you choose, there are many tools existing on the market to keep a key or user credentials safely:

open-source applications, dedicated hardware modules, cloud-based solutions.

Examples: HashiCorp Vault, Keywhiz, AWS Secrets Manager.

Of course, to integrate your API-based application with one of these tools, you'll be requested to provide a master password in some way.

 

 

View solution in original post

2 Replies
Highlighted
Admin
Admin
In R80.40, you can use API keys instead of credentials, which is slightly better but has the same fundamental issue: it needs to be stored either in plaintext or in a manner that can be easily reversed.
Not sure how folks are handling this.
Highlighted
Employee
Employee

Hi Steve,

As @PhoneBoy has already said, using API Key for authentication is better than just username/password in terms of security.

This authentication method complies with the industry standards due to:

  • 128-bit length make it a super challenging task to guess it
  • randomly generated, so prevents from re-use between different environments
  • prevent the users' account being compromised if the user name is public
  • prevent a leaked key from identifying the user in any way

Whatever method you choose, there are many tools existing on the market to keep a key or user credentials safely:

open-source applications, dedicated hardware modules, cloud-based solutions.

Examples: HashiCorp Vault, Keywhiz, AWS Secrets Manager.

Of course, to integrate your API-based application with one of these tools, you'll be requested to provide a master password in some way.

 

 

View solution in original post