GoToSocial/docs/user_guide/password_management.md
tobi 107685e22e
User password change (#280)
* start passwordChangeHandler

* add user scope

* add user module / api path

* add password change request

* make comment clearer

* add user to processor

* required true

* add processor call to handler

* don't pass tc or channel

* change password func + tests

* add some first docs about password management

* update swagger docs

* add api tests

* go fmt

* test fixes
2021-10-14 14:26:04 +02:00

1.3 KiB

Password Management

GoToSocial stores hashes of user passwords in its database using the secure bcrypt function in the Go standard libraries.

This means that the plaintext value of your password is safe even if the database of your GoToSocial instance is compromised. It also means that your instance admin does not have access to your password.

To check whether a password is sufficiently secure before accepting it, GoToSocial uses this library with entropy set to 60. This means that passwords like password are rejected, but something like verylongandsecurepasswordhahaha would be accepted, even without special characters/upper+lowercase etc.

We recommend following the EFF's guidelines on creating strong passwords.

Change Your Password

API method

If you are logged in (ie., you have a valid oauth token), you can change your password by making a POST request to /api/v1/user/password_change, using your token as authentication, and giving your old password and desired new password as parameters. Check the API documentation for more details.

Reset Your Password

todo