Q: Can you tell me how AuthRocket provides better password security than simply rolling my own authentication?
A: Here are just some of the things we’ve done on our end (and in our experience, many of them are never implemented in roll-your-own scenarios):
All successful and failed logins, along with other user activity, are logged as events.
All events, including the above, can be sent to your app via Webhooks. You can do your own audit logging, analysis, or whatever if wanted.
It’s also possible to auto-send emails on user events. Sometimes higher-security situations trigger an email on Login success. The recipient knows immediately that something is wrong if they receive such an email and they didn’t personally just login.
We use bcrypt for all user passwords.
Sensitive data is encrypted by the app servers before it’s even sent to the DBs to be stored. And, DB servers are separate from app servers.
Everything is redundant, of course.
Logins are rate limited (at multiple intervals) to prevent brute force attacks.
Sessions can be forcefully logged out to prevent replay attacks.