How are Passwords and Authentication Secured?
Resgrid uses 2 systems to control access to the application:
- Microsoft's ASP.Net Core Identity Framework
- OpenIddict
Microsoft Identity Framework
This framework (https://github.com/dotnet/AspNetCore/tree/main/src/Identity) is used to store and manage user accounts in the Resgrid system. From account creation, supplying and updating your password or recovering your account. Passwords (as of 2024) are hashed via the PBKDF2 with HMAC-SHA256, 128 bit salt, 256-bit subkey and 1000 iterations. Passwords are stored in the database hashed with the salt value, the subkey is only supplied via in memory mechanisms and never stored with the database or data.
Note: Passwords may be sent via email as plain-text. The operations that can send passwords via email are: Registrations, Reset Password and Admin (Group or Department) Change Password Flows, if the 'notify user' checkbox is checked. It's recommend that you change your password from your Profile screen after successfully logging in with that password to change it. The underlying password is still stored hashed.
OpenIddict
This framework (https://github.com/openiddict/openiddict-core) is used to enable OpenID Connect client, server and token validation schemes in the Resgrid system. After your authenticate with the Resgrid system via your Username and Password you will be assigned some tokens (auth, refresh, JTW) that will be used to validate operations during your session. This allows for applications (like the Resgrid Responder app) to stay logged in for a long period of time without having to prompt for your login every session and also allows the app to never store your login credentials (username or password).
Both of the above frameworks are open source and you can audit the source code of those via the Github links above as well as our usage via our own Github repo https://github.com/Resgrid/Core/tree/master.
Related Articles
How to Delete My Account
You can delete your own personal account from the Resgrid system by navigating to your profile page after logging into the Resgrid Web Application. On the Edit Profile page in the bottom right hand corner of the page click the "Delete Your Account" ...Forgotten Password or Account Locked out
If you have forgotten your username or password to access the Resgrid system you can use the Recover Account (https://resgrid.com/Account/ForgotPassword) page to get an email with your username and a newly generated password. You will need to have ...Personnel Visibility to Other Users
By default every user in the Resgrid system can see every other user. But you can use the "Who can view users" permission to change the behavior. You can change this behavior by accessing the "Security & Permissions" option from the Department Menu ...How to Stop Receiving Notifications from Resgrid
If you no longer want to receive notification from Resgrid there are many ways to stop recieveing notifications from the system. I don't have a Resgrid login and my Phone Number or Email was used in error If you are receiving notifications from ...How to Buy a Resgrid Subscription
You first will need to sign up your Organization to Resgrid. This can be done on our Sign-Up Page https://app.resgrid.com/Account/Register. Only one member needs to sign up for the Department in Resgrid, all other members will be added to that ...