Why No-Code Platforms Can’t Hash Your Password

Why No-Code Platforms Can’t Hash Your Password

No-code platforms need to impersonate users to create automations and integrations. Unfortunately, accessing your password means they can't do a very good job at hiding it.

I used to underestimate the security risks of using external platforms that authenticate to an API on your behalf using your credentials.

After all, if that’s their business, they surely do a good job at protecting the passwords and they will do to any length to follow industry standards.

Well, it happens to be the case that the industry standard for storing passwords is to hash them and salt them.

The problem is precisely that no-code platforms can’t do that, even if they wanted.

Let me explain you why Zapier, for example, doesn’t hash your password.

Watch the video if you’re in a hurry:

How hashing passwords works

Cost and time to hash in the bcrypt method (0Auth) that no-code platforms — Using methods like 0Auth’s bcrypt the time to hash increases exponentially with the cost.

When an application stores a user password in a database, it hashes it, then stores the resulting hash code. The password is visible in the web server, but it never enters the database server.

When a user authenticates again, the application doesn’t use the literal password. Instead, it takes the password through the same hashing process, then compares the result to what’s stored in your database for that user:

If there’s a match, then the login succeeds and the user is authenticated.
If there’s no match, then the user will be shown a login error.

Why can’t no-code platforms do this?

No-code platforms can’t follow this process, because they want to access an API on behalf of a user.

What does this mean? That they need to use your password as if they were you. And you don’t use a hash, do you? You don’t even see it.

If Zapier hashed the password and stored the result, they wouldn’t be able to access the password again when it’s needed.

What they do is either

store the password in clear text
encode it so that they can later decode it. Then each time it has to be used, the code is reversed and the password is used for authentication.

An example of ancient Roman encoding that can be easily reversed

How can no-code platforms access APIs securely?

There are different options to secure API calls through basic auth. The most interesting is to use API Tokens, also called personal access tokens or API keys.

Have a look at the alternatives to personal access tokens here

You can think of personal access tokens as the middle ground between a password and a hash:

They replace passwords
They’re checked by the API resource to match the token stored in the database for that user
They can’t be used by a user to log into the application

The benefits of API Tokens

Compromised API Tokens don’t propagate. Since each token is used for a specific connection, an attacker cannot use it for other connections or applications.
You can set up permissions. For example, you could permit your developers to create tokens, but force business users to ask for a token to an administrator.
Personal access tokens can also be scoped. This means that you could for example create a token that only allows reading information from the database. If this token is compromised, an attacker won’t be able to mess with your data.
Additionally, you can define the expiration date at a system level and for each token. If you need a script for a specific project that will end next week, you can make sure that the connectivity of the token will not outlive the project.

You can start using personal access tokens for Jira, Confluence and Bitbucket (both Server and Data Center) with a free trial.

Subscribe to our newsletter:

Jaime Capitel

With a background in philosophy and translation, Jaime loves to explore software products and use them to tell business stories.

Tags:

API Security API Tokens Jira API

Related articles:

Why API Token Authentication should replace Bitbucket personal tokens

Why API Token Authentication should replace Bitbucket personal tokens

How API Token Authentication helped Automation Consultants secure their Jira Server

How API Token Authentication helped Automation Consultants secure their Jira Server

3 Ways to Promote Secure Jira API Authentication For Your Users

3 Ways to Promote Secure Jira API Authentication For Your Users

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Accept Selection

Necessary

Always Enabled

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	1years 19days 23hours 59minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named `_dc_gtm_<property-id>`.
_gat_UA-44969175-9	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
CONSENT	16 years 3 months 13 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
b3e783bb62	session	This cookie is set by the provider Zoho. This cookie is used for collecting information on user interaction with the web-campaign content. This cookie helps the website owners to promote products and events on the CRM-campaign-platform.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
_calendly_session	21 days	Store user preferences
_zcsr_tmp	session	Used for website security
1e5a17c8ab	session	No description available.
3eb9b21c5c	session	No description available.
4662279173	session	No description available.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
d4bcc0a499	session	No description available.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
m	2 years	No description available.
zft-sdc	12 hours	This cookie stores metadata ( entrances, source etc) of a session which is used by full tracking. (https://www.zoho.com/privacy/cookie-policy.html)
zps-tgr-dts	1 year	This cookie stores the session's metadata on your website.
zsc	30 minutes	Zoho Service Communication Key.