The brainCloud platform supports two different types of passwords:
Portal passwords - the passwords of the app developers who use the brainCloud Design Portal.
End-user passwords - the passwords of those persons who use the apps that the app developers (above) create
Encrypted in Transit and at Rest
All brainCloud API access happens via encrypted (SSL-based) connections.
All brainCloud data is stored in MongoDB - and encrypted at rest.
Password storage
In addition to being located in encrypted storage, Portal and End-user passwords are further salted and hashed using Spring Security's BCrypt class.
BCrypt implements OpenBSD-style Blowfish password hashing using the scheme described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazieres.
This password hashing system tries to thwart off-line password cracking using a computationally-intensive hashing algorithm, based on Bruce Schneier's Blowfish cipher.
Hashing
Hashing is a mathematical process that takes an input (like a password) and converts it into a fixed-length string of characters, called a hash. This hash value is unique for a given input, and it's computationally difficult to reverse the process to get the original password.
Salting
Salting adds a random string (the "salt") to the password before hashing. Even identical passwords will produce different hash values due to the unique salt.
One-way Encryption
The combination of salting and hashing creates a one-way encryption process. The hashed password cannot be reversed to get the original password.