Showing revision #9f367ce5 of page security_faq


Security: Frequently Asked Questions

How are passwords stored?

Passwords are hashed using the bcrypt algorithm. It incorporates a randomly generated salt and is costly to bruteforce, making it ideal for secure password hashing.

Internally, Raddit uses Symfony's BCryptPasswordEncoder class, which in turn uses PHP's password_hash() to perform the actual hashing.

Why is there a maximum password length?

Due to a limitation of the Blowfish cipher used by bcrypt, the maximum password length is 72 bytes. This limitation hasn't stopped OpenBSD from adopting bcrypt, so it's probably good enough for us, too.

Are logins rate limited?

No. Rate limiting was planned for a while, but those plans were scrapped when we opened a Tor hidden service. Every user who accesses the site through Tor appears to have the IP address 127.0.0.1, making it impossible to identify individual troublemakers. We could rate limit non-Tor IP addresses, of course, however this would only lead to a false sense of security and doesn't accomplish much when the hidden service is wide-open for anyone who wants to try bruteforcing passwords.

To offset the lack of rate limiting, you should choose a secure password.

Is two-factor authentication available?

Yes. Enable it in My Account.

No. It was buggy, so we've restricted it to admins only for the time being.


Source code

### How are passwords stored?

Passwords are hashed using the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) algorithm. It incorporates a randomly generated salt and is costly to bruteforce, making it ideal for secure password hashing.

Internally, Raddit uses Symfony's [`BCryptPasswordEncoder` class](https://github.com/symfony/symfony/blob/3.3/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php), which in turn uses PHP's [`password_hash()`](https://secure.php.net/manual/en/function.password-hash.php) to perform the actual hashing.

### Why is there a maximum password length?

Due to a limitation of the Blowfish cipher used by bcrypt, the maximum password length is 72 bytes. This limitation hasn't stopped OpenBSD from adopting bcrypt, so it's probably good enough for us, too.

### Are logins rate limited?

No. Rate limiting was planned for a while, but those plans were scrapped when we opened a Tor hidden service. Every user who accesses the site through Tor appears to have the IP address `127.0.0.1`, making it impossible to identify individual troublemakers. We could rate limit non-Tor IP addresses, of course, however this would only lead to a false sense of security and doesn't accomplish much when the hidden service is wide-open for anyone who wants to try bruteforcing passwords.

To offset the lack of rate limiting, you should choose a secure password.

### Is two-factor authentication available?

~~Yes. Enable it in My Account.~~

No. It was buggy, so we've restricted it to admins only for the time being.