10 Apr
2019
10 Apr
'19
10:40 a.m.
Gert Doering wrote on 10/04/2019 09:22:
Well, it wasn't clear if "store unencrypted" referred to the client or server side. On the server side, yes, please store one-way hashed in a secure fashion.
How though? Again, thinking out loud, it's easy enough if you implement using an unsalted hash except that's not considered to be secure. If you hash with salt, then you need to hash the incoming API key against all salt values stored from the DB because the only way you can figure out which API key is being used is to do a linear comparison against all API key hashes. This implies an authentication comparison load of O(n), where n is the number of API keys in the DB, so that's unlikely to scale well. Nick