AuthRocket Security Practices
Q: Can you tell me how AuthRocket provides better password security than simply rolling my own authentication?
A: Here are just some of the things we’ve done on our end (and in our experience, many of them are never implemented in roll-your-own scenarios):
- All successful and failed logins, along with other user activity, are logged as events.
- All events, including the above, can be sent to your app via Webhooks. You can do your own audit logging, analysis, or whatever if wanted.
- It’s also possible to auto-send emails on user events. Sometimes higher-security situations trigger an email on Login success. The recipient knows immediately that something is wrong if they receive such an email and they didn’t personally just login.
- We use bcrypt for all user passwords.
- Sensitive data is encrypted by the app servers before it’s even sent to the DBs to be stored. And, DB servers are separate from app servers.
- Everything is redundant, of course.
- Logins are rate limited (at multiple intervals) to prevent brute force attacks.
- Sessions can be forcefully logged out to prevent replay attacks.