Hacker News new | comments | show | ask | jobs | submit login

That's not how HTTP Digest auth works, and you should never, ever be using "passwords" for API authentication.

Are you saying the server sees the password in HTTP Digest authentication?

How else would the server know what to check your response against? If you don't want to give the server a password, try SRP.

... but please don't use SRP for your API authentication.

Well, in this case (having gone back and actually checked the docs rather than relying on recollection roughly a decade old) you could store MD5(username:realm:password) rather than password, though that doesn't buy you all that much in a case like this where making the password a long, random string that's not reused is not only good practice but also easy and so likely to be general practice.

Stipulating all the other points you've made, exactly what is the purpose of hiding from a server a long random string generated by that server and useful only to that server?

Preventing someone else from getting that and using it on the server, especially if the service can rack up charges.

If you have the hash, you can log into the site (just not using the typical libraries), so it really doesn't add a lot of security. That's why I was wrong :-P

Yeah, I got there, just was confused about the digest thing.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact