API 秘密应该被散列吗? [英] Should API Secrets Be Hashed?

问题描述

这可能听起来像一个愚蠢的问题，因为密码当然需要散列并且永远不要存储原始密码.

It might sound like a silly question, because passwords of course need to be hashed and never store the original.

但是，对于 API 机密，我通常会在注册时看到它们以明文形式显示.

However, for API secrets, generally I see them displayed in the clear when signing up for them.

例如，如果我转到 google api 控制台并查看我的凭据页面，我可以查看我的客户端密钥，对于 twitter 也是如此.

For example, if I go to the google api console and look at my credentials page, I can view my client secret, same for twitter.

API 密钥肯定和密码一样敏感吗?

Surely api keys are just as sensitive as passwords?

仅仅是因为从提供商方面，您可以确信正在生成足够强的密码吗?如果是这种情况，那么这并不能提供任何保护，因为您的数据库已被盗用.

Is it just because from the provider side, you can be confident that a sufficiently strong password is being generated? If that's the case, then that doesn't provide any protection is your database is compromised.

或者可能是因为如果您使用基于令牌的身份验证，您要么执行密码授予类型，这要求您将凭据与客户端 ID 和机密一起发送，要么是刷新令牌，因此用户将拥有必须已经受到损害?

Or is it perhaps because if you are using token based authentication, you're either doing password grant type, which requires you to send your credentials along with the client id and secret, or a refresh token, so a user would have already had to have been compromised?

推荐答案

我可以想象几个可能的答案:

I can imagine a few possible answers to this:

• 在某些情况下，服务器可能需要持久存储明文 API 密钥以满足可用性要求(例如 Google 和 Twitter).
• 在某些情况下，仅凭 API 密钥根本无法做太多事情——另外还需要一个经过身份验证的帐户——因此 API 密钥本身的价值有限(因此价值低于密码).
• 在许多情况下，API 密钥在客户端应用程序(尤其是移动应用程序，几乎总是这样做)中被硬编码，因此当相同的令牌可以时，在服务器端添加额外保护是没有意义的从客户端轻松提取.
• 安全行业还没有那么成熟.也许一旦黑客开始转储 API 密钥，这样的想法可能会得到更认真的对待.

顺便说一句，我对最后一点非常认真.事实是，许多好的想法只有在获得大量支持后才能成为现实.例如，我曾经写过一篇关于一个相关主题的博客——通过在数据库中散列来保护用户机密信息，但以一种可以在合法用户登录时恢复的方式.我以 Ashley Madison 为例——在那种情况下，黑客更多地关注电子邮件地址、电话号码和物理地址，而不是密码.所以当黑客抢夺数据库时，他们立即拥有了他们想要的东西，他们可以不在乎 bcrypt 编码的密码(实际上，一些较旧的密码仅使用 MD5 编码！)不幸的是，像这样的概念并没有足够的推动它们成为现实.即使是零知识的网页设计在现实世界中也很少.

BTW, I am very serious about the last point. The truth is that a lot of good ideas don't become a reality until there is a critical mass of support behind them. As an example, I once blogged about a related topic -- protecting user confidential information by hashing it in the database but in a way that it could be recovered when the legitimate user logs in. I used Ashley Madison as an example -- in that case, the hackers were more after email addresses, phone numbers, and physical addresses than passwords. So when the hackers snatched the database, they immediately had what they wanted, and they could care less about the bcrypt encoded passwords (in fact, some older passwords were encoded with only MD5!) Unfortunately, concepts like this do not have enough of a push to make them a reality. Even zero-knowledge web designs are very few in the real world.

这篇关于API 秘密应该被散列吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！