PasswordCredential
Represents password-based authentication credentials for a user account, managing the lifecycle of password hashes, expiration policies, and password change requirements. This entity separates authentication credentials from user identity, enabling secure password management with proper hashing, rotation policies, history tracking, and security controls. It supports password complexity requirements, expiration policies, password history to prevent reuse, and temporary password states for account recovery or forced resets. The entity serves as a secure credential store for password-based authentication across enterprise applications, customer portals, administrative systems, and multi-tenant platforms.
Properties
| Property | Type | Mode | Description | Required |
|---|---|---|---|---|
| user | User | stored | Reference to the User who owns this password credential | Required |
| passwordHash | string | stored | Cryptographically hashed password using a secure algorithm (bcrypt, argon2, scrypt) - never store plain text passwords | Required |
| hashAlgorithm | string | stored | Algorithm used for password hashing (e.g., 'bcrypt', 'argon2id', 'scrypt') Values: Example: | Optional |
| lastChangedAt | datetime | stored | Date/time when this password was set or last changed Example: | Required |
| expiresAt | datetime | stored | Date/time when this password expires (null if password never expires) Example: | Optional |
| mustChange | boolean | stored | Whether the user must change this password on next login (used for temporary passwords or security requirements) | Required |
| isTemporary | boolean | stored | Whether this is a temporary password (e.g., for account recovery or initial setup) | Optional |
| previousPasswordHashes | string[] | stored | Array of previous password hashes to prevent password reuse (size limited by password policy) | Optional |
| failedAttempts | number | stored | Number of consecutive failed authentication attempts with this password 0 | Optional |
| lastFailedAttemptAt | datetime | stored | Date/time of the last failed authentication attempt Example: | Optional |
| isExpired | boolean | calculated | Whether this password has expired based on expiresAt date | Optional |
| daysUntilExpiration | number | calculated | Number of days until password expires (null if no expiration) | Optional |
| daysSinceLastChange | number | calculated | Number of days since password was last changed | Optional |
Examples
Example 1
{
"@type": "PasswordCredential",
"user": {
"@type": "User",
"username": "john.doe"
},
"passwordHash": "$2b$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5GyYKJz8pV.qG",
"hashAlgorithm": "bcrypt",
"lastChangedAt": "2024-01-15T10:30:00Z",
"expiresAt": "2024-07-15T10:30:00Z",
"mustChange": false,
"isTemporary": false,
"failedAttempts": 0
}Example 2
{
"@type": "PasswordCredential",
"user": {
"@type": "User",
"username": "jane.smith"
},
"passwordHash": "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG",
"hashAlgorithm": "argon2id",
"lastChangedAt": "2024-10-01T14:20:00Z",
"mustChange": false,
"isTemporary": false,
"failedAttempts": 0
}Example 3
{
"@type": "PasswordCredential",
"user": {
"@type": "User",
"username": "bob.wilson"
},
"passwordHash": "$2b$12$TempPasswordHashForInitialSetup123456789012345678901",
"hashAlgorithm": "bcrypt",
"lastChangedAt": "2024-11-20T10:00:00Z",
"mustChange": true,
"isTemporary": true,
"failedAttempts": 0
}Example 4
{
"@type": "PasswordCredential",
"user": {
"@type": "User",
"username": "alice.brown"
},
"passwordHash": "$2b$12$LockedAccountPasswordHashExample123456789012345678",
"hashAlgorithm": "bcrypt",
"lastChangedAt": "2024-06-01T08:00:00Z",
"expiresAt": "2024-12-01T08:00:00Z",
"mustChange": false,
"isTemporary": false,
"failedAttempts": 5,
"lastFailedAttemptAt": "2024-11-22T23:58:00Z"
}