In addition to best practices like multi-factor authentication, PlanetScale securely stores your account passwords and validates passwords against known security breaches.
PlanetScale uses Argon2 as the password hashing function. We use the
Argon2id variant, which provides protection against side channel attacks and GPU-based cracking attacks.
A password hashing function is a one-way function which means that your password cannot be reversed or decrypted from the stored value in the database.
PlanetScale checks passwords when a user sets them during sign-up or when changing the password. The first check is that the password needs to have enough entropy. Entropy is a measure for the amount of randomness a password contains. Read more about how we use entropy for user-friendly strong passwords in the PlanetScale blog.
PlanetScale also checks the password against Have I been pwned. Have I been pwned is a large database containing passwords seen in security breaches.
PlanetScale does not send the password you enter to Have I been pwned. The Have I been pwned API provides anonymity through the Cloudflare k-anonymity implementation. This ensures that no other provider can identify the password that you have entered.
The password is also not associated in any way with the email address you use to sign up. This information is not shared with Have I been pwned, nor is this information needed for the leaked passwords API they provide.