Passwords

By default, applications have password authentication enabled, allowing users to log in using a password of their choice.

To avoid the spread of password quality misinformation, the only Authwave password complexity requirement that can be configured is the "minimum strength" option, which defaults to "low". The following rules apply to all Authwave applications that allow password authentication:

1. Passwords must be at least 8 characters in length.
2. Passwords must be at most 128 characters in length.
3. Passwords can include any characters, including whitespace and unicode characters such as emoji, symbols and format characters.
4. Passwords must meet a strength requirement, configured by the application.

Password strength

All passwords have a strength scored between 0 (completely insecure) and 4 (strong). All application passwords must at least have a score of 1, but application administrators can choose to raise the minimum strength requirement.

Strength is calculated using a multitude of factors, including comparing to dictionary words, known breaches, common sequences, dates, names, etc. Rather than simply showing the user terminologies such as "weak", "strong" and all words in between, display tangible advice such as "Your password strength is fair. To increase its strength, try using a multi-word phrase.".

Calculating password strength and offering feedback to the user can be handled by Authwave's Password Strength as a Service https://github.com/Authwave/password-strength .

Password recovery

Authentication through the Authwave provider trusts that the email address used to identify the user is the single source of truth about the user. If a user forgets their password, they can request a new one. This is done in a secure way be sending an email to the user with instructions of how to reset their password, along with a confirmation code. The code must be entered into the Provider's security check screen to avoid any malicious users resetting the passwords of accounts they do not own. Once the security code is entered, a new password can be chosen.

If a user enters an incorrect password for their account, they will instantly receive an email explaining that a new password has been entered along with a confirmation code. The Provider's security check screen will instruct the user to check their email. At this point, if the user realises they have entered a wrong password, they can go back and try again with their correct password, or they can follow the instructions in the email to set their password to what was just entered.

In all cases, the following two rules are strictly adhered to:

1. Knowledge of whether or not an account exists with the provided email should not be disclosed through the web interface.
2. No knowledge can be gained, and no data can be set, without confirming the receipt of the security email to the user's inbox.