Don't ever use passwords for API authentication. It's an API, not a browser. The... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tptacek on April 17, 2013 | parent | context | favorite | on: Secure Your REST API

Don't ever use passwords for API authentication. It's an API, not a browser. The users of an API are other programs, not people. Issue single-purpose random credentials.

I didn't think this was something I had to point out about API authentication, but apparently it is.

CodeMage on April 17, 2013 | [–]

I have a stupid question: how do you do this with HTTP Basic auth?

tptacek on April 17, 2013 | | [–]

Generate random long passwords.

redblacktree on April 18, 2013 | [–]

By "don't ever use passwords" you mean, "don't let users set their own passwords," right?

Obviously, you're still using a password if you use HTTP Basic Auth.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact