Operational Documentation - VilnaCRM-Org/user-service GitHub Wiki

This document outlines the operational security practices adopted by our team to ensure the integrity and confidentiality of the data managed by the User Service. Our commitment to security involves a comprehensive approach, addressing potential vulnerabilities and protecting our user's information.

Security Practices

Sensitive Data Handling

Passwords

Passwords are hashed using the bcrypt hashing algorithm provided by the Symfony Security Bundle, which is known for its resistance to brute-force attacks and adaptive cost, making it suitable for securely storing passwords.

Bcrypt offers strong cryptographic durability, balancing between security and performance. Its adaptive cost factor determines the computational effort required for hashing, providing resistance against brute-force attacks while maintaining efficient performance.

You can find our config for it here.

The length of Password Hashing is configurable via the .env file, with the PASSWORD_HASHING_COST value, which currently equals 15.

Confirmation Tokens

Confirmation Tokens are being used to confirm the user's email. They are generated by transforming random bytes into a hexadecimal representation, which ensures that the token is composed of safe characters for storage and transmission. Confirmation tokens are only stored for a limited time, which is currently 1 hour.

The length of Confirmation Tokens is configurable via the .env file, with the CONFIRMATION_TOKEN_LENGTH value, which currently equals 10.

You can find our config for it here.

Learn more about Security Documentation