June 7, 2023

Passwords: The Most Common Authentication Factor

Passwords are the most common authentication factor for our users. Authentication factors are ways in which users verify their identity to gain access to your application.

In your Auth Dashboard, you can enable and disable different authentication factors in order to customize your login flow. The single-factor authentication factors include:

  • Password
  • Login link email (passwordless)
  • SSO (single sign-on) provider like Google or Facebook
  • Email verification code
  • SMS verification code
  • TOTP authenticator code

Password Requirements

Userfront enforces minimum password requirements to make your application(s) more secure:

  • Passwords must be at least 16 characters long OR
  • Passwords must be at least 8 characters long including a letter and a number.
  • Passwords cannot exceed 512 characters in length.

These requirements are in line with National Institute of Technology (NIST) standards. NIST, which is a part of the U.S. Department of Commerce, is “responsible for developing information security standards and guidelines, including minimum requirements for federal system.”

Password Handling

Userfront does not store passwords in plain text. Passwords are stored as hashes and are encrypted at rest. Passwords are also not written to system logs.

We use the Bcrypt hashing function to generate password hashes, with a unique salt for each password. Additionally, Userfront limits the rate of password attempts at multiple levels, including per IP address, per user, and at the system-wide level.

  • Password hashing function: Bcrypt
  • Password hashing cipher: Blowfish
  • Password salting: Unique per password
  • Key stretching: Included
  • Brute force attack resistance: Active
  • Preimage attack resistance: Active
  • Timing attack resistance: Active
  • Rainbow table attack resistance: Active
  • Log filtering: Active
  • Password hash encryption at rest: Active

Read more about passwords in the Userfront Security Report.

Related Blog

Passwordless Authentication: An Introduction

This article explores the concept of passwordless authentication, its benefits for organizations, various methods, and how to implement passwordless authentication with Userfront.
November 2, 2023
Darin Evangelista

Single Sign-On (SSO): Simplifying The User Experience

Adding single sign-on to your website or application is an excellent way to streamline the signup and login process for your users. In this article, we’ll cover the basics of SSO and provide resources on how you can implement SSO today.
October 18, 2023
Darin Evangelista

What is Multi-Factor Authentication (MFA)? And Why Is It Important?

Multi-factor authentication (or MFA) adds an extra layer of protection to your authentication flow by requiring two or more forms of authentication, ensuring that only authorized users can access your application.
August 16, 2023
Darin Evangelista