Home

Passwords

A password is more secure if it is harder to guess or brute-force. In theory, a password is harder to guess if it is longer. It is also harder to guess if it uses a larger set of characters (for example, digits, lowercase and uppercase letters, and symbols).

Using passwords to authenticate users is a tried-and-tested method to give your users access to your application. Openfort Auth provides you with secure configuration options and uses best practices to store and verify your user's passwords.

Password security#

A password is more secure if it is harder to guess or brute-force. In theory, a password is harder to guess if it is longer. It is also harder to guess if it uses a larger set of characters (for example, digits, lowercase and uppercase letters, and symbols).

This table shows the minimum number of guesses that need to be tried to access a user's account:

Required charactersLengthGuesses
Digits only8~ 227
Digits and letters8~ 241
Digits, lower and uppercase letters8~ 248
Digits, lower and uppercase letters, symbols8~ 252

In reality though, passwords are not always generated at random. They often contain variations of names, words, dates, and common phrases. Malicious actors can use these properties to guess a password in fewer attempts.

There are hundreds of millions (and growing!) known passwords out there. Malicious actors can use these lists of leaked passwords to automate login attempts (known as credential stuffing) and steal or access sensitive user data.

Password strength and leaked password protection#

To help protect your users, Openfort Auth sets strength constrains of the passwords used on your project.

  • Set a large minimum password length. Anything less than 8 characters is not recommended.
  • Set the required characters that must appear at least once in a user's password. Use the strongest option of requiring digits, lowercase and uppercase letters, and symbols.
  • Prevent the use of leaked passwords. Openfort Auth uses the open-source HaveIBeenPwned.org Pwned Passwords API to reject passwords that have been leaked and are known by malicious actors.

Resetting a user's password (forgot password)#

Strong passwords are difficult to remember, so Openfort Auth provides you with APIs to build a secure password reset flow.

Coming soon