Support » Plugin: Application Passwords » Convenient and more secure than using User passwords

  • Application Passwords has been a life-saver. Using Application Passwords is *much* simpler than using a full oAuth implementation and is more secure than using standard passwords via Basic Auth. OAuth is, in many cases, overkill and not the right solution (i.e. when you’re building a trusted application to interface with your own WordPress website) — not to mention oAuth is very cumbersome to test via the command line. Just make sure any production site you use with Application Passwords is forcing HTTPS — because any kind of basic authentication is going to be unsafe over an unencrypted connection. 🙂

Viewing 2 replies - 1 through 2 (of 2 total)
  • Hi Blair,

    Very insightful review, thanks.

    I was wondering though: since the credentials in the Authorization header are not encrypted (making HTTPS mandatory to prevent eavesdropping), why do you see Application Passwords as more secure than Basic Auth?



    Thread Starter Blair Williams


    Thanks @moreauf … that’s a good question. You actually still use Basic Auth with Application Passwords so as far as the actual request there’s no difference in security. But Application Passwords are more secure because they’re more limited than your actual password. If someone got a hold of one of your application passwords he/she could only use it with the API on your site — he/she couldn’t actually log in to your wp-admin with it.

    Also, numerous application passwords can be created. The idea is that you could use a unique application password for each external system you’ve connected to your site’s API. So if one of your application passwords gets compromised then you’d just revoke the one and, in theory, none of your others would be affected.

    I find that Application Passwords also just makes things more convenient. If I’m working with another developer on an API centric project I can generate an application password for him/her and revoke it when the project’s done … without revealing my actual password.

    Could a hacker wreak havoc if he/she got a hold of one of your application passwords? Yes. But it’s going to be a bit harder. So you still absolutely need SSL but Application Passwords adds an additional layer of security and convenience that makes it a great option for many people.

    Hope that helps, Blair

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Convenient and more secure than using User passwords’ is closed to new replies.