What secret key to use in JWT?

I

Ibishka2020-09-18 13:24:40

JSON Web Token

Ibishka, 2020-09-18 13:24:40

Yes, they say to use one key, for example, qwerty for all users, but the problem is that if so, then if an attacker recognizes qwerty, then he will take over all user accounts, shouldn't the key be unique for all users, if so, for example, what to use?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

R

Rsa97, 2020-09-18
@Ibishka

You can find out the key only by hacking the server. In this case, someone's knowledge of the key would be the least of the problems.

P

Pavel Shvedov, 2020-09-18
@mmmaaak

Generate a normal key, of adequate length and complexity, as far as I understand, this is just a salt used for hashing when generating a token, knowing it does not mean that you know all logins and passwords, it only means that without knowing this salt you cannot artificially generate a valid token

I

Ivan Shumov, 2020-09-18
@inoise

First, there are 2 main ways to generate signatures: HS (symmetric) and RS (asymmetric) tokens. Of course, you should use asymmetric ones for greater reliability.
Second, JWT is not about security. All information in the token is public and only the client decides how to treat it. You can always ask the server about the validity of this token.