Secure Transmission of API Passwords

Question

Currently when communicating with the Logic Monitor API, passwords are required to be sent via Plaintext in the URL. This results in the username/password of the api account being intercepted anywhere logging of the URL occurs(proxies/network logging/etc).

Additionally, since LM treats API users like any other user, having the user/pass in plaintext permits anyone who sees the URL to log into the LM web interface as the API user and see or do anything the API user can do.

This can be prevented by making some relatively simple changes to the API handler.

1) Permit the arguments of a API request to be made via POST instead of GET

HTTPS POST requests will ensure that the vars are encrypted with the rest of the HTTPS request.

2) Permit hashing of the password

This prevents those who see the password from being able to access the LM web-interface and obfuscates the clear-text version of the password.

PS: Call me paranoid if you want, but communication with the LM API is done over the public internet and plaintext passwords make me nervous

sarah_terry · Answer

All of our API requests are transmitted over SSL, so passwords are never sent in plaintext. Our new REST API, which we are starting to publish, uses Basic Authentication over SSL and will permit requests via POST.

Forum Discussion

Secure Transmission of API Passwords

Related Content

LogicMonitor Portal Security

Important Security Announcement

SNMPv3 Password Character Set Restrictions?

"Enable Test Script" UIv4 security experiences?

Security Hardening of LM

Recent Discussions

Dashboard Sharing – An Inline Framing Method

2021-12-15 US Office Hours

Live Training - Tuning Datapoints and Alerts - 15th JUNE 2022 - APAC

Live Training - Introduction to Dashboards - 18th MAY 2022 - APAC

2022-05-11- APAC Product Overview -Collectors, Resources/Groups, Dashboards