Password Security

A password is more secure if it is harder to guess or brute-force. In theory, a password is harder to guess if it is longer. It is also harder to guess if it uses a larger set of characters (for example, digits, lowercase and uppercase letters, and symbols).

Using passwords to authenticate users is a tried-and-tested method to give your users access to your application. Openfort Auth provides you with secure configuration options and uses best practices to store and verify your user's passwords.

Password security#

This table shows the minimum number of guesses that need to be tried to access a user's account:

Required characters	Length	Guesses
Digits only	8	~ 2²⁷
Digits and letters	8	~ 2⁴¹
Digits, lower and uppercase letters	8	~ 2⁴⁸
Digits, lower and uppercase letters, symbols	8	~ 2⁵²

In reality though, passwords are not always generated at random. They often contain variations of names, words, dates, and common phrases. Malicious actors can use these properties to guess a password in fewer attempts.

There are hundreds of millions (and growing!) known passwords out there. Malicious actors can use these lists of leaked passwords to automate login attempts (known as credential stuffing) and steal or access sensitive user data.

Password strength and leaked password protection#

To help protect your users, Openfort Auth sets strength constrains of the passwords used on your project.

Set a large minimum password length. Anything less than 8 characters is not recommended.
Set the required characters that must appear at least once in a user's password. Use the strongest option of requiring digits, lowercase and uppercase letters, and symbols.
Prevent the use of leaked passwords. Openfort Auth uses the open-source HaveIBeenPwned.org Pwned Passwords API to reject passwords that have been leaked and are known by malicious actors.