
Authentication made easy, fast and RESTful - sinzone
http://www.authdog.com/
======
sweis
"hash - An MD5 hash value made of the concatenation of YOUR_APPLICATION_KEY +
EMAIL + CODE"

Stop using unsafe keyed hashes: [http://rdist.root.org/2009/10/29/stop-using-
unsafe-keyed-has...](http://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-
hashes-use-hmac/)

That's a red flag that these guys don't know what they're doing and thus not
to be trusted to handle my authentication.

~~~
latortuga
Seriously, HMAC was built for this exact purpose. The primary design goal of
HMAC was to combat insecure ad-hoc keyed hash schemes exactly like this. I saw
this a couple months ago on moonshado's SMS API and after going back and forth
with someone from their team I just let it go because they obviously didn't
get it. For anyone who cares about security, this is a huge red flag.

~~~
robee
The HMAC library in Python still uses MD5
(<http://docs.python.org/library/hmac.html>) which is known to be exploitable
with hash collisions. My opinion is that its not too difficult to roll a MAC
setup using some SHA based hash.

~~~
adambard
The constructor for the Python HMAC library just defaults to MD5; you can pass
any of the hashlib modules to it via the digestmod parameter. I don't know why
it doesn't default to something more secure, but it's no challenge to do.

------
southpolesteve
Maybe I am missing something, but why would I want to use this? I develop in
Rails, where Devise is extremely simple to implement.

Do other frameworks lack a good auth plugin?

~~~
_pdeschen
To restrict access to a static web site, providing authentication through this
api and nginx auth request module[1]? Not even sure if this specific use case
is even possible with this API but that would be nice.

That being said, I don't think I would rely on an unknown API for such crucial
part of my web app. In there shoes, I would just release it open source so
that people can inspect the code and build street cred out of it.

[1]:
[http://mdounin.ru/hg/ngx_http_auth_request_module/file/a29d7...](http://mdounin.ru/hg/ngx_http_auth_request_module/file/a29d74804ff1/README)

------
TamDenholm
Nice idea, especially if the service can offer some really nice analytics on
users, but perhaps the MVP should try to sell itself from a security
perspective, so that the reason to use it is because its easier and more
secure than creating a simple user system with username and straight MD5
password storage.

------
JohnTitus
I'm wary of signing up for a service that has no cost details.

------
jpadilla_
This looks very interesting. So is it safe to pass clear text credentials over
to another site? Is it via HTTPS?

