2

I'm developing a web API for a user database that will be used to verify a given username / password combination is valid.

I'm just looking for comments / criticism on the following method that I'm planning to use:

  • API Key records are stored within the database
  • Each API Key record consists of a public API key and a private API key
  • API clients use the private API key to salt the hashing of the given username / password
  • Username, password, and public API key are sent via HTTP GET request to the API for validation
  • A custom response code is returned based on what happens at the server

Is this a secure way of proceeding? Any advice is greatly appreciated.

Improve this question
2
  • 2
    You should always use HTTPS not HTTP. Disallow HTTP use altogether Commented Apr 17, 2013 at 0:36
  • can you elaborate a bit more on your third point? Commented Apr 17, 2013 at 4:11

1 Answer 1

Reset to default
1
  1. Always use HTTP POST for sending data to the server.GET should be used for fetching the data.
  2. You should always use HTTPS for your web service.

API clients use the private API key to salt the hashing of the given username / password

If you are referring to the private key of your authentication server then this is a wrong approach.The private key of the server should not be kept with the client.If you are using a secure connection then you need not perform password hashing on the client side and let your server handle the load.

here is a good reference for password hashing techniques and using the salt.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.