AuthRocket
These docs are for AuthRocket 1. Looking for AuthRocket 2 docs?

AuthRocket Security Practices

Q: Can you tell me how AuthRocket provides better password security than simply rolling my own authentication?

A: Here are just some of the things we’ve done on our end (and in our experience, many of them are never implemented in roll-your-own scenarios):

  • All successful and failed logins, along with other user activity, are logged as events.
  • All events, including the above, can be sent to your app via Webhooks. You can do your own audit logging, analysis, or whatever if wanted.
  • It’s also possible to auto-send emails on user events. Sometimes higher-security situations trigger an email on Login success. The recipient knows immediately that something is wrong if they receive such an email and they didn’t personally just login.
  • We use bcrypt for all user passwords.
  • Sensitive data is encrypted by the app servers before it’s even sent to the DBs to be stored. And, DB servers are separate from app servers.
  • Everything is redundant, of course.
  • Logins are rate limited (at multiple intervals) to prevent brute force attacks.
  • Sessions can be forcefully logged out to prevent replay attacks.

Tagged with: password security security practices

Questions? Find a Typo? Get in touch.

Related articles:
AuthRocket Security Practices
Data Security
Preventing Automatic Signup Attempts
Error Message when Creating Users
Password Expiration Dates
Password Database Import
Configurable User Password Requirements
Keeping Users from Sharing Login Information

All KB articles All docs