0

I have to create an API that it only allowed to be consumed by one third party company we are working with. Unfortunately, the API has to be connected to the internet. For authentication, the other company is going to pass a password in each request they make to the API. How long should the password be to eliminate brute forcing? We can't lock the account out, as that will create a DOS problem. The API contains PII of our customers.

I would like to make it 100+ characters, but maybe that's overkill?

Weare Mwam
  • 45
  • 4

1 Answers1

1

First of all: is there no better way you can secure the connection? Mutual TLS (also called "mTLS" or "TLS with client certificates") is the usual approach for secure machine-to-machine connections. You might also consider using a zero-knowledge proof of ownership of the shared secret (such as using it to compute an HMAC or similar) rather than transmitting it each time (this is how e.g. AWS access keys are used).

To more directly answer your question: Don't think of it as a "password" with a length in characters. Passwords are secrets meant to be stored in a human memory and transmitted by human speech or text entry. For machine-to-machine communication, you want an API key, which should be generated using a cryptographically-secure [pseudo-]random number generator. The entropy (which in this case means length) of the key should be at least 128 bits (16 bytes), though longer keys (such as 256 bits) are common. 16 or even 32 bytes might sound very short compared to a 100+ character password (though note that the key's textual representation will be longer, if you use common text-friendly encodings such as base64 or hex [base16]). However, even 128 bits is enough that if every computer on earth spent all their cycles doing nothing but try to guess the value, and checking if it was correct was instantaneous and free, and they never overlapped or repeated... the expected time for any of them to guess the right key would still be on the order of at least tens of millions of years. 2^128 is a REALLY large number of possibilities!

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • I wanted to use client certificate, but company said no. So according to you, 256 bits is enough, which means a 41 character password (with 76 symbols per character) should suffice. Thanks – Weare Mwam Jul 08 '21 at 08:00
  • If you're not having a human generate it, or expecting a human to memorize it, then yes, 76^41 is enough entropy, assuming the values are securely random. – CBHacking Jul 08 '21 at 08:25
  • 256 bits is more than overkill. Even [192 bits is overkill](https://security.stackexchange.com/a/168483/127837). 128 bits is more than enough, especially since brute-forcing a web API requires queries, limiting the available computing power that can be used. – A. Hersean Jul 08 '21 at 08:37
  • I agree that it is overkill, but it can't hurt? – Weare Mwam Jul 08 '21 at 13:48