Passwords
Passwords are tricky and sensitive. Leaking a password can make someone other than you access the resources and the data otherwise protected.
curl offers several ways to receive passwords from the user and then subsequently pass them on or use them to something else.
The most basic curl authentication option
is -u / --user. It accepts an argument that is the user
name and password, colon separated. Like
when alice wants to request a page requiring
HTTP authentication and her password is
'12345':
$ curl -u alice:12345 http://example.com/
Several potentially bad things are going on here. First, we are entering a password on the command line and the command line might be readable for other users on the same system (assuming you have a multi-user system). curl will help minimize that risk by trying to blank out passwords from process listings.
One way to avoid passing the user name and
password on the command line is to instead
use a
.netrc file
or a
config file. You can also use the -u
option without specifying the password, and
then curl will instead prompt the user for
it when it runs.
Secondly, this command line sends the user credentials to an HTTP server, which is a clear-text protocol that is open for man-in-the-middle or other snoopers to spy on the connection and see what is sent. In this command line example, it makes curl use HTTP Basic authentication and that is completely insecure.
There are several ways to avoid this, and the key is, of course, then to avoid protocols or authentication schemes that sends credentials in plain text over the network. Easiest is perhaps to make sure you use encrypted versions of protocols. Use HTTPS instead of HTTP, use FTPS instead of FTP and so on.
If you need to stick to a plain text and
insecure protocol, then see if you can
switch to using an authentication method
that avoids sending the credentials in the
clear. If you want HTTP, such methods would
include Digest (--digest), Negotiate (--negotiate.) and NTLM (--ntlm).
