Passwords in Specify

system · June 30, 2025, 5:00am

Specify implements a secure, multi-step process for authenticating users locally, without relying on external identity providers (SSO can be configured). Local authentication is used for direct sign-in to Specify, independent of institutional single sign-on (SSO) or federated identity systems.

The permissions each user has in the system are based on their Security and Accounts configuration. The permissions granted for use in the app align with those available through the API.

The following process is in place to safeguard user passwords:

Local Authentication in Specify

Password Storage and Encryption
- When a user sets or changes their password, the system generates a unique, random 8-byte salt for each password instance.
- The password, combined with this salt, undergoes a key derivation process using multiple rounds of cryptographic hashing. This produces a secret key that is unique to the user and their password.
- The password is then encrypted using this derived key and a secure cipher, so that the actual password is never stored in plain text.
- The salt is prepended to the encrypted password, and this combined value is stored in the database.
Authentication
- During the login process, Specify retrieves the stored salt and encrypted password.
- The entered password is combined with the stored salt to regenerate the encryption key through the same derivation process.
- The encrypted password is decrypted using the regenerated key.
- If the decryption yields the expected result, access is granted; otherwise, authentication fails and the user cannot connect.
Security Protections
- Unique salts ensure that even identical passwords result in different stored values, protecting against common attacks.
- The key derivation process introduces computational complexity, helping to deter brute-force attempts.
- Passwords are never stored or transmitted in plain text; encryption is always applied before storage.

API Authentication

The Specify API supports session-based authentication using the same local authentication practices.

Login Process
- The client initiates a login request by sending their username and password to the API’s authentication endpoint.
- The API validates these credentials using the local authentication method described above, ensuring the password is verified securely.
Session Establishment
- Upon successful authentication, the API creates a session for the user.
- A session token or cookie is returned to the client, which must be included in subsequent API requests to authorize access.
API Request Authorization
- All further interactions with the API (reading, creating, updating resources) are performed within this authenticated session.
- The session remains valid until the user logs out or the session expires.

Topic		Replies	Views
Login to Specify Configuration & Installation Specify-6	0	425	March 17, 2022
IT Login Configuration & Installation Specify-6	0	194	March 17, 2022
Create user accounts programatically - hash function Get Help	4	42	February 9, 2025
Single Sign-On (SSO) Support Configuration & Installation Specify-7 , Members-only	0	373	July 12, 2022
How to use the Specify API as a generic webservice Technical Docs Specify-7	15	1003	December 3, 2024

Passwords in Specify

Local Authentication in Specify

API Authentication

Related topics