Should the password be plain text when creating a user through the API?

(Mike Redick) #1

I’m creating a small windows application that will use Discourse as the SSO provider. The first step in that chain is allowing the app to create a user through the Discourse API.

I’ve got that working, however it seems that the password for the user is passed in plain text and I’m wondering why that is? It seems like that could be a security issue… is the thought just that people should use SSL and that’s good enough to protect the password?

(Matt Palmer) #2

Yes, SSL is considered sufficient to protect secrets in-flight. Until the world sees the light and switches to something like TLS-SRP, sharing secrets over a secured channel are pretty much all we’ve got to work with.