Intrro employs industry-standard techniques for password management, encryption, storage, complexity, and reset.
Encryption and storage
The Intrro web application user authentication system uses Bcrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the 'pepper' is stored independently from the database.
The Intrro web application enforces a strong password complexity standard and require user passwords to have at least:
- 12 characters
- 1 lower case character
- 1 upper case character
- 1 number
- 1 special character
Failed login attempts
The Intrro web application prevents brute force attacks (for password based authentication) by locking the targeted user account after 5 failed attempts. A notification email is sent to the user that includes a link that can be used to unlock the account.
In the event that a user forgets their password, a user can request their password be reset via a link that is sent to the user's verified email address. This link expires within a limited amount of time if not used.
Intrro encourages customers and users to leverage a password manager to maintain, store, and fill strong passwords when using Intrro.