Password security for Email/Password users

Martin_Bradstreet · August 11, 2020, 8:32pm

MongoDB Realm’s SDKs provide the ability to register users using an email and password.

However I can’t find anything in the documentation describing how passwords are stored. What hashing scheme is used? Are passwords salted?

The only information I can find is “the password must be between 6 and 128 characters”. Are there are restrictions on characters used? Are passwords expired?

I’d like to know as much as possible so I can assess the security of private user data.

Sumedha_Mehta1 · August 12, 2020, 2:33pm

Hi Martin,

Are there are restrictions on characters used?

No, but you can enforce on the client.

Are passwords expired?

No, they are not by default. This is logic you will have to implement yourself.

Are passwords salted and hashed?

Yes they are salted and hashed with SHA256.

Hope that helps!

Martin_Bradstreet · August 12, 2020, 8:05pm

Yes that’s very helpful. Thank you.

David_N_A · September 26, 2020, 10:23pm

What about password format validation? I’m able to register users with a password 123456 which is a big security issue.