| | 849 | == Password Security |
| | 850 | Passwords must never be stored as plaintext in the database. Instead, ChapterX uses BCrypt to hash every password before it is saved. |
| | 851 | BCrypt is configured with a default work factor of 11 rounds, which makes brute-force attacks computationally expensive: |
| | 852 | {{{ |
| | 853 | var user = new Domain.Entities.User |
| | 854 | { |
| | 855 | Username = request.Username, |
| | 856 | Email = request.Email, |
| | 857 | Password = BCrypt.Net.BCrypt.HashPassword(request.Password), |
| | 858 | ... |
| | 859 | }; |
| | 860 | }}} |
| | 861 | At login, the submitted password is verified against the stored hash without ever reconstructing the original: |
| | 862 | {{{ |
| | 863 | if (!BCrypt.Net.BCrypt.Verify(request.Password, user.Password)) |
| | 864 | throw new UnauthorizedAccessException("Invalid email or password."); |
| | 865 | }}} |
