These docs are for AuthRocket 1. Looking for AuthRocket 2 docs?

AuthRocket Security Practices

Q: Can you tell me how AuthRocket provides better password security than simply rolling my own authentication?

A: Here are just some of the things we’ve done on our end (and in our experience, many of them are never implemented in roll-your-own scenarios):

  • All successful and failed logins, along with other user activity, are logged as events.
  • All events, including the above, can be sent to your app via Webhooks. You can do your own audit logging, analysis, or whatever if wanted.
  • It’s also possible to auto-send emails on user events. Sometimes higher-security situations trigger an email on Login success. The recipient knows immediately that something is wrong if they receive such an email and they didn’t personally just login.
  • We use bcrypt for all user passwords.
  • Sensitive data is encrypted by the app servers before it’s even sent to the DBs to be stored. And, DB servers are separate from app servers.
  • Everything is redundant, of course.
  • Logins are rate limited (at multiple intervals) to prevent brute force attacks.
  • Sessions can be forcefully logged out to prevent replay attacks.

Tagged with: password security security practices

Questions? Find a Typo? Get in touch.