| ▲ | tlonny 2 days ago |
| Presumably because API keys are n bytes of random data vs. a shitty user-generated password we don’t have to bother using a salt + can use something cheap to compute like SHA256 vs. a multi-round bcrypt-like? |
|
| ▲ | agwa 2 days ago | parent | next [-] |
| Correct. Even a million rounds of hashing only adds 20 bits of security. No need if your secret is already 128 bits. |
|
| ▲ | vjay15 2 days ago | parent | prev [-] |
| I can't understand what you are trying to say :o |
| |
| ▲ | numbsafari 2 days ago | parent [-] | | How are you storing the API key in your database? | | |
| ▲ | vjay15 2 days ago | parent [-] | | hash of the API key just like passwords | | |
| ▲ | stanac 2 days ago | parent [-] | | I think they are saying passwords are salted and we use multiple rounds of hashing to prevent rainbow tables and slow down brute-forcing the password (in case of db leak). We don't need to do that for randomized long strings (like api keys), no one is guessing 32 character random string, so no salt is needed and we don't need multiple rounds of hashing. | | |
|
|
|
