是否应该隐藏API机密? [英] Should API Secrets Be Hashed?

问题描述

这听起来像是一个愚蠢的问题，因为密码当然需要进行哈希处理，并且永远不要存储原始密码.

It might sound like a silly question, because passwords of course need to be hashed and never store the original.

但是，对于API机密，通常在注册时会看到它们是明文显示的.

However, for API secrets, generally I see them displayed in the clear when signing up for them.

例如，如果我转到google api控制台并查看我的凭据页面，则可以查看我的客户端密码，与twitter一样.

For example, if I go to the google api console and look at my credentials page, I can view my client secret, same for twitter.

API密钥肯定和密码一样敏感吗?

Surely api keys are just as sensitive as passwords?

仅仅是因为从提供者那边，您可以确信正在生成足够强的密码吗? 如果真是这样，那么您的数据库就被破坏了，那么它就不能提供任何保护.

Is it just because from the provider side, you can be confident that a sufficiently strong password is being generated? If that's the case, then that doesn't provide any protection is your database is compromised.

或者是因为如果您使用的是基于令牌的身份验证，那么您就是在进行密码授予类型，这要求您将凭据以及客户端ID和密码或刷新令牌一起发送，以便用户拥有已经必须被妥协了?

Or is it perhaps because if you are using token based authentication, you're either doing password grant type, which requires you to send your credentials along with the client id and secret, or a refresh token, so a user would have already had to have been compromised?

推荐答案

我可以想象一些可能的答案:

I can imagine a few possible answers to this:

• 在某些情况下，可能需要服务器对明文API密钥进行持久存储才能满足可用性要求(例如Google和Twitter).
• 在某些情况下，仅API密钥根本不足以做很多事情-另外，一个人需要拥有经过身份验证的帐户-因此，API密钥本身的价值是有限的(因此，其价值要小于密码)
• 在许多情况下，API密钥在客户端应用程序(特别是移动应用程序，几乎总是这样做)中进行了硬编码，因此，当可以使用相同的令牌时，在服务器端添加额外的保护是没有意义的从客户端中轻松提取出来.
• 安全行业还不那么成熟.也许一旦黑客开始转储API密钥，可能会更认真地考虑这种想法.

顺便说一句，我对最后一点很认真.事实是，许多好的想法只有在其背后有足够的支持量时，它们才会变成现实.例如，我曾经写过一个相关主题的博客-

BTW, I am very serious about the last point. The truth is that a lot of good ideas don't become a reality until there is a critical mass of support behind them. As an example, I once blogged about a related topic -- protecting user confidential information by hashing it in the database but in a way that it could be recovered when the legitimate user logs in. I used Ashley Madison as an example -- in that case, the hackers were more after email addresses, phone numbers, and physical addresses than passwords. So when the hackers snatched the database, they immediately had what they wanted, and they could care less about the bcrypt encoded passwords (in fact, some older passwords were encoded with only MD5!) Unfortunately, concepts like this do not have enough of a push to make them a reality. Even zero-knowledge web designs are very few in the real world.

这篇关于是否应该隐藏API机密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！