undefined | Better HN

0 pointszzbzq3y ago0 comments

I got a bulletin from our security team saying Postman stores it all in plain text on their servers. Unbelievable if true. Haven't used it since. They have all your passwords.

0 comments

pletnes3y ago

I had this gut feeling, but no way to check. The handling of secrets is not explicitly states, i.e probably bad.

I like the looks of httpie’s new desktop client but no idea if their secret handling is any better.

Cederfjard3y ago

This is from their website: https://www.postman.com/trust/security/

> Depending upon its sensitivity classification, customer data is AES-256-GCM encrypted at the server-side before storage. Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords. We have also added sessions in the 6.2 release onwards of Postman. We recommend using session variables for any data that you do not want to be synced to Postman's servers.

aliqot3y ago

> Depending upon its sensitivity classification

What does this mean?

1 more reply

jkbr3y ago

Here’s how we do it: https://httpie.io/blog/changelog-0017#data-security

j / k navigate · click thread line to collapse