[Vtigercrm-developers] password vs accessKey

[Adam Heinz]

Why do we need both?  I've recently written a small mobile application
(barcode scanner on a Windows Mobile device) to track Assets.  It uses the
web service for everything.  The web service only allows login with
accessKey, not password.  Originally, we thought this wasn't a big deal,
but we've run into a number of problems:

1. There is no mechanism for changing the accessKey.  It's randomly
generated as something a human could never remember, and it is not possible
to edit it from Settings > Users as an administrator.
2. The accessKey is stored in the database as plain text, and displayed via
Settings > Users.

The simplest thing for our customers' warehouse staff would be to use the
same password that they use to access the CRM.  I'm strongly inclined to
add a password login action to the web service.  In the cases where we use
a true access key for an automated process, we create a corresponding user,
so that the ModTracker change log reflects that the automated process made
the change.

The only scenario I can envision where having the separate password and
accessKey is useful is if you want to prevent someone from logging into the
CRM (as an automated account, perhaps), but this begs the question, why not
use a single password, then add flags to the account marking whether they
have web service API access, CRM access or both.

Opinions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130321/a58c884b/attachment.html>