TechQA.

Is it ok/common practice to login via REST service by sending clear text password?

1k views Asked by At

Is it ok/common practice to login via REST service by sending clear text password? As long as it's done over https? e.g. https://www.example.com/api/login/<username>/<pwd>

Or is it common practice to use encryption of the password locally and decryption on the server?

rest ssl authentication mobile-application
Original Q&A
2

There are 2 answers

0
Opal On

First of all username along with password should never be included in URL. There's authorization (with lots of variants - base64, token, whatever) header for such purposes.

Secondly password should be always sent via HTTPS. Or more general, authorization should always be done via HTTPS.

When it comes to encoding password I've worked with system that were sending plain and encrypted passwords. If it's possible to send encrypted, it's much better.

2
Nicholas Shanks On

Use HTTP Digest Authentication or OAuth 2 over HTTPS.

Related Questions in REST

Related Questions in SSL

Related Questions in AUTHENTICATION

Related Questions in MOBILE-APPLICATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions