Project:Infrastructure/Server-side password policy

This page provides information on using password authentication in Gentoo services.

Requirements
When deploying services using password authentication to Gentoo users, please:
 * Do not ever send or display the user's password.
 * When implementing password recovery, use a temporary token that requires the user to set a new password immediately.
 * Do not store passwords directly. Instead, use a key derivation scheme with salt (Argon2, PBKDF2, or at least a strong salted hash).
 * Prefer challenge-response authentication methods to avoid sending the password directly (e.g. SCRAM).
 * Always require TLS (or a similar method enforcing encryption and server authentication) when performing authentication.
 * When the authentication needs to happen over unsecured media, challenge-response methods are required.
 * Provide two-factor authentication support.
 * If the service is expected to be used via scripts, provide API key support.