Why No-Code Platforms Can’t Hash Your Password

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on reddit
Reddit
Share on facebook
Facebook
No-code platforms need to impersonate users to create automations and integrations. Unfortunately, accessing your password means they can't do a very good job at finding it.

Table of Contents

I used to underestimate the security risks of using external platforms that authenticate to an API on your behalf using your credentials.

After all, if that’s their business, they surely do a good job at protecting the passwords and they will do to any length to follow industry standards.

Well, it happens to be the case that the industry standard for storing passwords is to hash them and salt them.

The problem is precisely that no-code platforms can’t do that, even if they wanted.

Let me explain you why Zapier, for example, doesn’t hash your password.

Watch the video if you’re in a hurry:

How hashing passwords works

Cost and time to hash in the bcrypt method (0Auth) that no-code platforms
Using methods like 0Auth’s bcrypt the time to hash increases exponentially with the cost.

When an application stores a user password in a database, it hashes it, then stores the resulting hash code. The password is visible in the web server, but it never enters the database server.

When a user authenticates again, the application doesn’t use the literal password. Instead, it takes the password through the same hashing process, then compares the result to what’s stored in your database for that user:

  • If there’s a match, then the login succeeds and the user is authenticated.
  • If there’s no match, then the user will be shown a login error.

Why can’t no-code platforms do this?

No-code platforms can’t follow this process, because they want to access an API on behalf of a user.

What does this mean? That they need to use your password as if they were you. And you don’t use a hash, do you? You don’t even see it.

If Zapier hashed the password and stored the result, they wouldn’t be able to access the password again when it’s needed.

What they do is either

  • store the password in clear text
  • encode it so that they can later decode it. Then each time it has to be used, the code is reversed and the password is used for authentication.
An example of ancient Roman encoding that can be easily reversed

How can no-code platforms access APIs securely?

There are different options to secure API calls through basic auth. The most interesting is to use API Tokens, also called personal access tokens or API keys.

Have a look at the alternatives to personal access tokens here

You can think of personal access tokens as the middle ground between a password and a hash:

  • They replace passwords
  • They’re checked by the API resource to match the token stored in the database for that user
  • They can’t be used by a user to log into the application

The benefits of API Tokens

  • Compromised API Tokens don’t propagate. Since each token is used for a specific connection, an attacker cannot use it for other connections or applications.
  • You can set up permissions. For example, you could permit your developers to create tokens, but force business users to ask for a token to an administrator.
  • Personal access tokens can also be scoped. This means that you could for example create a token that only allows reading information from the database. If this token is compromised, an attacker won’t be able to mess with your data.
  • Additionally, you can define the expiration date at a system level and for each token. If you need a script for a specific project that will end next week, you can make sure that the connectivity of the token will not outlive the project.

You can start using personal access tokens for Jira, Confluence and Bitbucket (both Server and Data Center) with a free trial.

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on reddit
Reddit
Share on facebook
Facebook
SUBSCRIBE & FOLLOW
Get The Latest Updates
Subscribe To Our Newsletter
No spam, notifications only about new products, updates.
MOST POPULAR

Why still pay for Data Center SSO? Curated FAQs from over a dozen trainings

Over the last two months, our Co-CEO Christian Reichert went on a virtual tour to...

Read More

7 Benefits of Publishing HubSpot CRM Data in Confluence

HubSpot is a powerful source of information for the people who make decisions in your...

Read More

The 5 most exciting Confluence apps for marketing teams

There are many ways for Marketing teams to upgrade their Confluence experience and enjoy whiteboards,...

Read More

New User Sync integration with Linchpin User Profiles

Linchpin User Profiles are an essential piece of the Linchpin Intranet Suite, with hundreds and...

Read More
Categories
Tags
Read our recent posts
Hubspot CRM for Confluence macro
7 Benefits of Publishing HubSpot CRM Data in Confluence

HubSpot is a powerful source of information for the people who make decisions in your organization. But it’s not always...

Read More
The 5 most exciting Confluence apps for marketing teams

There are many ways for Marketing teams to upgrade their Confluence experience and enjoy whiteboards, calendars, planning, and budgets directly...

Read More
idp - usersync - linchpin
New User Sync integration with Linchpin User Profiles

Linchpin User Profiles are an essential piece of the Linchpin Intranet Suite, with hundreds and hundreds of Confluence customers. Adding...

Read More