Passing a password to a web service and storing it

Question

What is the proper way of passing a password to a web service via restful api (when a user is registering or just logging in)? How should I store it?

From what I was thought, I should only store hashes, for example MD5. But from what I can read in the Internet it appears to be rather easy to just look up a hash in a "hash rainbow table" - so storing a hash would be equal to storing a clear text. How to do it properly?

Info:

.NET, C#
PostgreSQL

don't use md5. it's essentially "broken" in cryptographic terms. use sha-256, with proper salting. — Marc B, May 27 '15 at 17:03
There's an OWASP recommendation on that https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet — Wiktor Zychla, May 27 '15 at 17:08

score 3 · Accepted Answer · edited Oct 07 '21 at 05:59

3

The way to pass username and password to a REST service is to use the basic authentication scheme over HTTPS. HTTPS should protect your password from being stolen in transit.

As I explain in my answer here, it's not a good idea to use basic authentication for your services. You would be better of using a Security Token Service (STS) and use bearer authentication

edited Oct 07 '21 at 05:59

Community

1
1

answered May 27 '15 at 17:16

MvdD

22,082
8
65
93

1

+1 for refering OAuth2 in your linked answer, it could be a good solution for the given question. Here is a [brief](http://blog.cloudfoundry.org/2012/10/09/oauth-rest/) example on how to secure restful web services. For authentication i would combine it with [openID](http://openid.net/developers/libraries/) – kayess May 27 '15 at 17:22
@NeilMcGuigan, where did I say that basic auth is good? Sometimes it's the only option you have. – MvdD May 27 '15 at 20:05

Passing a password to a web service and storing it

1 Answers1