|
|
|
|
|
|
by xyzzy123
2712 days ago
|
|
|
Hm, I might be writing at cross purposes (I think you were addressing passwords?), but: API keys are quite different from passwords and it makes sense to store and secure them differently. If your site is generating API keys then you should ensure that they are say 128 bits of high quality entropy and use a fast hash. Nobody is going to invert that, even if you use a single round of SHA-256 / HMAC / whatever. It’s a good thing too because API keys need to get validated on every request and you wouldn’t want to use a heavy function (tens of millis like a decent kdf) on every request. |
|
|