Appwrite helps you implement secure authentication in your applications by using advanced password hashing to protect passwords in storage. Appwrite also provides tools to help users pick better passwords, making them harder to break.
Password history
Password history prevents users from reusing recent passwords. This protects user accounts from security risks by enforcing a new password every time it's changed.
Password history can be enabled in the Auth service's Security tab on the Appwrite Console. You can choose how many previous passwords to remember, up to a maximum of 20, and block users from reusing them.
Password dictionary
Password dictionary protects users from using bad passwords. It compares the user's password to the 10,000 most common passwords and throws an error if there's a match. Together with rate limits, password dictionary will significantly reduce the chance of a malicious actor guessing user passwords.
Password dictionary can be enabled in the Auth service's Security tab on the Appwrite Console.
Password hashing
Appwrite protects passwords by using the Argon2 password-hashing algorithm.
Argon 2 is a resilient and secure password hashing algorithm that is also the winner of the Password Hashing Competition.
Appwrite combines Argon 2 with the use of techniques such as salting, adjustable work factors, and memory hardness to securely handle passwords.
If an user is imported into Appwrite with hash differnt than Argon2, the password will be re-hashed on first successful user's sign in. This ensures all passwords are stored as securely as possible.
Personal data
Encourage passwords that are hard to guess by disallowing users to pick passwords that contain personal data. Personal data includes the user's name, email, and phone number.
Disallowing personal data can be enabled in the Auth service's Security tab on the Appwrite Console.
Session alerts
Enable email alerts for your users so that whenever another session is created for their account, they will be alerted to the new session.
You won't receive notifications when logging in using Magic URL, Email OTP, or OAuth2 since these authentication methods already verify user access to their systems, establishing the authentication's legitimacy.
To toggle session alerts, navigate to Auth > Security > Session alerts.