Passwords are the most common authentication factor for our users. Authentication factors are ways in which users verify their identity to gain access to your application.
In your Auth Dashboard, you can enable and disable different authentication factors in order to customize your login flow. The single-factor authentication factors include:
- Password
- Login link email (passwordless)
- SSO (single sign-on) provider like Google or Facebook
- Email verification code
- SMS verification code
- TOTP authenticator code
Password Requirements
Userfront enforces minimum password requirements to make your application(s) more secure:
- Passwords must be at least 16 characters long OR
- Passwords must be at least 8 characters long including a letter and a number.
- Passwords cannot exceed 512 characters in length.
These requirements are in line with National Institute of Technology (NIST) standards. NIST, which is a part of the U.S. Department of Commerce, is “responsible for developing information security standards and guidelines, including minimum requirements for federal system.”
Password Handling
Userfront does not store passwords in plain text. Passwords are stored as hashes and are encrypted at rest. Passwords are also not written to system logs.
We use the Bcrypt hashing function to generate password hashes, with a unique salt for each password. Additionally, Userfront limits the rate of password attempts at multiple levels, including per IP address, per user, and at the system-wide level.
- Password hashing function: Bcrypt
- Password hashing cipher: Blowfish
- Password salting: Unique per password
- Key stretching: Included
- Brute force attack resistance: Active
- Preimage attack resistance: Active
- Timing attack resistance: Active
- Rainbow table attack resistance: Active
- Log filtering: Active
- Password hash encryption at rest: Active
Read more about passwords in the Userfront Security Report.