Password and OAuth token storage
- Tier: Free, Premium, Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
GitLab administrators can configure how passwords and OAuth tokens are stored.
Password storage
GitLab stores user passwords in a hashed format to prevent passwords from being stored as plain text.
GitLab uses the Devise authentication library to hash user passwords. Created password hashes have these attributes:
- Hashing:
- bcrypt: By default, the
bcrypt
hashing function is used to generate the hash of the provided password. This cryptographic hashing function is strong and industry-standard. - PBKDF2+SHA512: PBKDF2+SHA512 is supported:
- In GitLab 15.2 to GitLab 15.5 when
pbkdf2_password_encryption
andpbkdf2_password_encryption_write
feature flags are enabled. - In GitLab 15.6 and later when FIPS mode is enabled (feature flags are not required).
- In GitLab 15.2 to GitLab 15.5 when
- bcrypt: By default, the
- Stretching: Password hashes are stretched to harden against brute-force attacks. By default, GitLab uses a stretching factor of 10 for bcrypt and 20,000 for PBKDF2 + SHA512.
- Salting: A cryptographic salt is added to each password to harden against pre-computed hash and dictionary attacks. To increase security, each salt is randomly generated for each password, with no two passwords sharing a salt.
OAuth access token storage
OAuth access tokens are stored in the database in PBKDF2+SHA512 format. As with PBKDF2+SHA512 password storage, access token values are stretched 20,000 times to harden against brute-force attacks.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support