Password management

Support algorithms

Safewhere Identify currently supports two password hashing algorithms:

• Bcrypt
• Argon2id

Although Argon2id is the recommended, more modern algorithm by OWASP, Bcrypt remains the default algorithm for backward compatibility reasons. However, we understand that security preferences may vary, and therefore, we offer the flexibility to choose between these two algorithms.

Algorithm switching

Safewhere Identify allows you to seamlessly switch between the supported algorithms, giving you the freedom to align your security strategy with evolving needs.

You can switch between Argon2id and Bcrypt as needed by using Admin interface with the System Settings page.

You can also control the cost factor associated with the Bcrypt algorithm. The default cost factor is set to 10. A higher cost factor results in slower processing but significantly enhances security. Adjusting the cost factor to higher values, such as 12 or 14, will lead to a noticeable increase in the time required for hashing and password verification. This represents a trade-off between security and processing speed.

Password length restriction

Safewhere Identify enforces a password length restriction to enhance security and maintain system efficiency. As part of our security measures, we have set a maximum limit for password length at 1000 characters. This restriction is in place to strike a balance between security and practical usability. When a user enters a password with a length exceeding 1000 characters, Identify will return an error message: "The entered password, with a length of {password.Length}, exceeds the maximum allowed length. Please contact your system administrators to reset the password."