1. Authentication
  • Overview
  • Application Guides
    • Frontend
      • Get Started - React App
      • Get Started - HTML and JS
      • Get Started - Angular JS
      • Get Started - Next JS App
    • Backend
      • Get Started - Node JS
      • Get Started - Golang
      • Get Started - ASP.NET
      • Get Started - JAVA
  • Dashboard
    • API Credentials
    • Organization
    • Social Login
    • Customize Email Template
    • Configure Custom Domain
    • IT Admin Portal
  • Authentication
    • Login Widget
    • Magic Link
    • Google Social Login
    • Multi-Factor Authentication
    • Single Sign-On Overview
    • Setup SSO Connection
  • Security
    • Overview
    • Authentication
      • Password Hashing and Storage
      • Multi-Factor Authentication Methods and Implementation
      • Session Management
    • Attack Protection
      • Bot Detection
      • Breached Password Detection
      • Brute Force Protection
      • Log Events
      • Secure JSON Web Tokens (JWT)
      • Secure OpenID Connect (OIDC)
      • Suspicious IP Throttling
    • Data Security
      • Data Encryption At Rest and In Transit
      • Secure Storage of Secrets (Keys, Credentials)
      • Sensitive Data Handling
    • Infrastructure
      • Security Considerations for Cloud Provider or Deployment Model
      • Threat Modeling
  • API References
    • Authentication
      • MagicLink
        • Email a Magic Link
        • Resend Email Magic Link
        • Verify Magic Link
        • Ping Status
      • Magic Auth Code
        • Email a Magic Auth Code
        • Resend Magic Auth Code
        • Verify Magic Auth Code
      • Phone Authentication
        • Send Magic Auth Code via SMS
        • Resend Magic Auth Code via SMS
        • Phone Magic Auth Verify
      • PassKey
        • Initiate Passkey Login
        • Passkey Registration Initialize
        • Finish Passkey Authentication
        • Complete Passkey Registration
        • Check User Passkey Authentication Status
        • List User PassKey Credentials
        • Update Passkey Name
        • Delete Associated Passkey
      • GET Auth Status
    • Token
      • Refresh Token
      • Access Token By Auth Code
    • Mutli-Factor Authentication (MFA)
      • MFA Access Token
      • List of Authenticators
      • MFA Enroll TOTP
      • Initiate MFA
      • QR Code Image API
      • Validate MFA Token
      • Get Backup Code
    • Role And Permission
      • List All Roles
      • List All Permission
      • Create New Role
      • Update Existing Role
      • Update Permission By Permission Id
      • Remove Organization Role By Role Id
      • Remove Organization Permission By Permission Id
    • User Management
      • List All Users
      • GET User By User Id
      • GET User by User Email Address
      • Create a User
      • Update User by User Id
      • Verify User Status By User Id
      • Delete User By User Id
      • Manage User Roles
      • GET Users Organizations
      • GET User Login Logs
    • Organization
      • Add New Organization
      • Get Organization
      • Get All Organization
      • Update Organization
      • Delete Organization
      • GET Configuration By Client Id
      • GET Configuration By Custom Domain
  1. Authentication

Password Hashing and Storage

Introduction
Password security is a critical aspect of protecting user accounts and data. SSOJet employs robust methods and protocols for password hashing and storage to ensure that passwords are securely stored and resistant to unauthorized access and attacks. This document provides a detailed overview of the password hashing and storage practices used by SSOJet.
Scope
This document covers the following aspects of password hashing and storage:
Password hashing algorithms
Salting techniques
Storage methods
Best practices
Regular audits and updates
Password Hashing Algorithms
SSOJet uses industry-standard hashing algorithms to securely hash passwords. The algorithms are chosen based on their security, efficiency, and resistance to attacks such as brute force and rainbow table attacks.
1.
bcrypt
Description: bcrypt is a widely-used password hashing algorithm that incorporates a salt to protect against rainbow table attacks and an adaptive cost factor to prevent brute force attacks.
Cost Factor: The cost factor can be adjusted to increase the computational effort required to hash a password, making it more resistant to brute force attacks.
Implementation: bcrypt is implemented using the bcrypt library, which is a well-maintained and widely-accepted library for password hashing.
2.
Argon2
Description: Argon2 is an advanced password hashing algorithm that won the Password Hashing Competition in 2015. It is designed to be resistant to GPU cracking attacks and offers configurable memory and time costs.
Memory and Time Costs: Argon2 allows the customization of memory and time costs to balance security and performance.
Implementation: Argon2 is implemented using the argon2 library, which is recommended for new applications due to its enhanced security features.
Salting Techniques
Salting is a technique used to add random data to passwords before hashing to ensure that even identical passwords produce unique hashes.
1.
Unique Salt per Password
Generation: A unique salt is generated for each password using a cryptographically secure random number generator.
Length: The salt length is typically 16 bytes, providing sufficient randomness to protect against pre-computed attacks.
Storage: Salts are stored alongside the hashed passwords in the database.
2.
Combining Salt with Password
Process: The salt is concatenated with the password before hashing, ensuring that each hash is unique even if the passwords are the same.
Format: The salt and hashed password are stored together in a standardized format, such as $algorithm$salt$hash.
Storage Methods
Securely storing hashed passwords is crucial to preventing unauthorized access and ensuring data integrity.
1.
Encrypted Databases
Encryption: Password hashes and salts are stored in encrypted databases to provide an additional layer of security.
Encryption Algorithms: AES-256 is used for database encryption, ensuring that data is protected even if the database is compromised.
2.
Environment Isolation
Separation of Environments: The environments used for hashing and storing passwords are isolated to minimize the risk of unauthorized access.
Access Control: Strict access control measures are implemented to limit access to the environments where password hashing and storage occur.
Best Practices
SSOJet follows best practices for password hashing and storage to enhance security and mitigate risks.
1.
Regular Audits
Frequency: Conduct regular audits of password hashing and storage practices to identify and address potential vulnerabilities.
Third-Party Audits: Engage third-party security firms to perform independent audits and penetration testing.
2.
Hash Updates
Algorithm Updates: Periodically review and update hashing algorithms to ensure they remain secure against evolving threats.
Rehashing: Implement mechanisms to rehash passwords using updated algorithms and cost factors when users log in or change their passwords.
3.
User Education
Strong Password Policies: Educate users about the importance of creating strong, unique passwords.
Password Managers: Encourage users to use password managers to generate and store complex passwords securely.
Regular Audits and Updates
SSOJet is committed to maintaining the highest level of security for password hashing and storage through regular audits and updates.
1.
Audit Procedures
Internal Audits: Conduct regular internal audits to review and assess the effectiveness of password hashing and storage practices.
Audit Reports: Document audit findings and implement corrective actions as needed.
2.
Algorithm and Cost Factor Reviews
Periodic Reviews: Regularly review and update the hashing algorithms and cost factors to ensure they remain secure against new attack vectors.
Rehashing Mechanisms: Implement mechanisms to rehash passwords when users log in or change their passwords, ensuring that they are protected by the latest security measures.
Conclusion
SSOJet employs robust and industry-standard practices for password hashing and storage to ensure the security and integrity of user accounts. By using strong hashing algorithms, unique salts, encrypted storage, and following best practices, we provide a high level of protection against unauthorized access and attacks. Regular audits and updates ensure that our security measures remain effective and up-to-date with the latest advancements and threats.
For any security-related inquiries or to report a security incident, please contact our security team at:
Email: support@ssojet.com
This detailed document on password hashing and storage provides a comprehensive overview of the security measures and practices employed by SSOJet. It can be expanded or tailored based on specific organizational needs and security policies.
Previous
Overview
Next
Multi-Factor Authentication Methods and Implementation
Built with