Comments on: Authentication: Don’t be Clever /2013/03/21/authentication-dont-be-clever/?utm_source=rss&utm_medium=rss&utm_campaign=authentication-dont-be-clever Everything about API User Experience Mon, 21 Dec 2015 03:55:47 +0000 hourly 1 https://wordpress.org/?v=5.8.6 By: Dave /2013/03/21/authentication-dont-be-clever/#comment-10417 Mon, 21 Dec 2015 03:55:47 +0000 /?p=112#comment-10417 Not sure where things with OAuth 2 stand today, but I do know that the lead author resigned while writing the spec because he thought the whole thing was a big failure.

http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell

Something to think about.

]]> By: Tictail API launch focuses on UX /2013/03/21/authentication-dont-be-clever/#comment-257 Thu, 19 Sep 2013 18:34:54 +0000 /?p=112#comment-257 […] was fundamental to launch the right API. They’ve chosen proven standards starting with the authentication protocol which is OAuth 2.0. One of the features that made them choose it was the implicit grant […]

]]> By: Authentication: Don't be Clever | kernicPanel | Scoop.it /2013/03/21/authentication-dont-be-clever/#comment-29 Tue, 26 Mar 2013 21:02:40 +0000 /?p=112#comment-29 […] HTTP API authentication has evolved through many forms over the years. As so-called RESTful APIs gained popularity, a variety of methods sprung up: key passing, plain-old HTTP Basic Auth, OAuth 1.0…  […]

]]> By: Authentication: Don't be Clever | nodeJS and REST APIs | Scoop.it /2013/03/21/authentication-dont-be-clever/#comment-24 Tue, 26 Mar 2013 00:14:37 +0000 /?p=112#comment-24 […] HTTP API authentication has evolved through many forms over the years. As so-called RESTful APIs gained popularity, a variety of methods sprung up: key passing, plain-old HTTP Basic Auth, OAuth 1.0…  […]

]]> By: Barnabas /2013/03/21/authentication-dont-be-clever/#comment-22 Mon, 25 Mar 2013 20:32:06 +0000 /?p=112#comment-22 In reply to Weng Fu.

I can’t imagine ROT13 being a barrier to anyone but a 7-year old.

]]> By: Fadi E. (itoctopus) /2013/03/21/authentication-dont-be-clever/#comment-15 Mon, 25 Mar 2013 14:18:44 +0000 /?p=112#comment-15 In reply to Weng Fu.

@Weng,

SQL injection affects the whole database – and not just a table with your uid/pwds. SQL injection is the outcome of some seriously badly written code somewhere in your application – so you need to make sure that your code is secure and resilient to any SQL injection attacks.

Using files to store passwords has the exact same problem (your application might have some issues with filesystem security) and can lead to performance issues especially if you have a long list of logins. Additionally, when migrating a website from one place to another, you will need to remember to copy that file or else the website won’t work.

]]> By: Weng Fu /2013/03/21/authentication-dont-be-clever/#comment-12 Sun, 24 Mar 2013 09:05:51 +0000 /?p=112#comment-12 I think password is sufficient for most web sites. The password should not be save in database because of SQL injector. It is better to save password in hided password file separate from database. Password file should be encrypted by ROT13 to prevent hacker access to the file.

]]> By: Authentication: Don’t be Clever | CodingScoop | Scoop.it /2013/03/21/authentication-dont-be-clever/#comment-11 Sun, 24 Mar 2013 09:01:14 +0000 /?p=112#comment-11 […] HTTP API authentication has evolved through many forms over the years.  […]

]]> By: Javin /2013/03/21/authentication-dont-be-clever/#comment-10 Sun, 24 Mar 2013 03:15:47 +0000 /?p=112#comment-10 Simple and easy, Use OAuth 2.0 , but worth reading that StackOverFlow.

]]> By: Craig Francis /2013/03/21/authentication-dont-be-clever/#comment-9 Sat, 23 Mar 2013 20:27:26 +0000 /?p=112#comment-9 I’m still not sure oAuth2 is the answer though, and I’m still trying to find answers to simple things like 2 legged-auth: http://stackoverflow.com/q/14402938

]]>