No-code platforms need to impersonate users to create automations and integrations. Unfortunately, accessing your password means they can’t do a very good job at hiding it.
I used to underestimate the security risks of using external platforms that authenticate to an API on your behalf using your credentials.
After all, if that’s their business, they surely do a good job at protecting the passwords and they will do to any length to follow industry standards.
Well, it happens to be the case that the industry standard for storing passwords is to hash them and salt them.
The problem is precisely that no-code platforms can’t do that, even if they wanted.
Let me explain you why Zapier, for example, doesn’t hash your password.
Watch the video if you’re in a hurry:
When an application stores a user password in a database, it hashes it, then stores the resulting hash code. The password is visible in the web server, but it never enters the database server.
When a user authenticates again, the application doesn’t use the literal password. Instead, it takes the password through the same hashing process, then compares the result to what’s stored in your database for that user:
No-code platforms can’t follow this process, because they want to access an API on behalf of a user.
What does this mean? That they need to use your password as if they were you. And you don’t use a hash, do you? You don’t even see it.
If Zapier hashed the password and stored the result, they wouldn’t be able to access the password again when it’s needed.
What they do is either
There are different options to secure API calls through basic auth. The most interesting is to use API Tokens, also called personal access tokens or API keys.
Have a look at the alternatives to personal access tokens here
You can think of personal access tokens as the middle ground between a password and a hash:
Cookie | Duration | Description |
---|---|---|
_gat_UA-44969175-9 | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
CONSENT | 16 years 3 months 13 hours | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_fbp | 3 months | This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website. |
b3e783bb62 | session | This cookie is set by the provider Zoho. This cookie is used for collecting information on user interaction with the web-campaign content. This cookie helps the website owners to promote products and events on the CRM-campaign-platform. |
fr | 3 months | Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Store user preferences |
_zcsr_tmp | session | Used for website security |
1e5a17c8ab | session | No description available. |
3eb9b21c5c | session | No description available. |
4662279173 | session | No description available. |
AnalyticsSyncHistory | 1 month | Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries |
cookielawinfo-checkbox-functional | 1 year | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
CookieLawInfoConsent | 1 year | Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie. |
d4bcc0a499 | session | No description available. |
li_gc | 2 years | Used to store consent of guests regarding the use of cookies for non-essential purposes |
m | 2 years | No description available. |
zft-sdc | 12 hours | This cookie stores metadata ( entrances, source etc) of a session which is used by full tracking. (https://www.zoho.com/privacy/cookie-policy.html) |
zps-tgr-dts | 1 year | This cookie stores the session's metadata on your website. |
zsc | 30 minutes | Zoho Service Communication Key. |