Ballpark employs industry-standard techniques for password management, encryption, storage, complexity, and reset.
Encryption and storage
Raw passwords are not stored, so there is no way for a Ballpark employee to see the user's password. The Ballpark web application user authentication system uses Bcrypt to hash and salt user passwords. Each password has a uniquely generated salt, and the 'pepper' is stored independently from the database forcing the password's uniqueness, increasing their complexity without increasing user requirements, and mitigating password attacks like hash tables.
Ballpark requires user passwords to have at least 8 characters.
A user can submit a time-restricted request for a password reset link to be sent to their verified email address in the event that they forget their password.
We would encourage all Ballpark customers and users to leverage a password manager to maintain, store, and fill strong passwords when using the product.