Skip to content

User Management Guide

This guide covers user administration in KrakenHashes, including user roles, authentication, multi-factor authentication (MFA), and security policies.

Table of Contents

  1. User Roles and Permissions
  2. Creating and Managing Users
  3. Password Policies and Requirements
  4. Multi-Factor Authentication Management
  5. Session Management
  6. User Deactivation and Deletion
  7. Audit Logging and User Activity

User Roles and Permissions

KrakenHashes implements a role-based access control (RBAC) system with the following roles:

User Roles

  1. User (default role)
  2. View and manage their own profile
  3. Submit password cracking jobs
  4. View their own job results
  5. Manage their own MFA settings

  6. Access general system features

  7. Admin

  8. All user permissions plus:
  9. View and manage all users
  10. Reset user passwords
  11. Enable/disable user accounts
  12. Modify system settings
  13. View all jobs and results
  14. Manage agents and vouchers

  15. Access admin dashboard

  16. System (special role)

  17. Reserved for system operations
  18. Cannot be assigned to regular users
  19. Cannot be modified or disabled

Permission Matrix

Action User Admin System
View own profile
Edit own profile
View all users
Manage users
System settings
View all jobs

Creating and Managing Users

User Creation

Currently, users are created through the registration process. Admin creation of users is not directly implemented but can be achieved through the following methods:

  1. Self-Registration (if enabled)
  2. Users register themselves through the web interface

  3. Email verification may be required

  4. Admin-Initiated Registration

  5. Admin provides registration link to new users
  6. User completes registration process

User Management Operations

Listing Users

Admins can view all users through the admin dashboard: - Navigate to Admin → Users - Filter by role (admin, user) - View user details including: - Username and email - Role - Account status (enabled/disabled) - MFA status - Last login time

User Management Interface User Management page displaying the user accounts table with columns for Username, Email, Role, Status, MFA status, and Last Login information

Updating User Information

Admins can update: - Username - Email address - User role (user ↔ admin)

Note: System users cannot be modified.

Resetting User Passwords

Admins can reset user passwords in two ways:

  1. Temporary Password
  2. System generates a secure temporary password
  3. Password must be changed on next login

  4. Share password securely with user

  5. Custom Password

  6. Admin sets a specific password
  7. Must meet password policy requirements
  8. User should change on next login

Password Policies and Requirements

Default Password Requirements

The system enforces configurable password policies:

  • Minimum Length: 8 characters (configurable)
  • Character Requirements (configurable):
  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Special characters

Password Policy Configuration

Admins can configure password policies via: 1. Navigate to Admin → Settings → Authentication 2. Adjust password requirements: 

{
  "minPasswordLength": 8,
  "requireUppercase": true,
  "requireLowercase": true,
  "requireNumbers": true,
  "requireSpecialChars": true
}

Password Security Features

  • Passwords are hashed using bcrypt with default cost
  • Password history tracking
  • Last password change timestamp
  • Forced password change capability

Multi-Factor Authentication Management

MFA Overview

KrakenHashes supports multiple MFA methods:

  1. Email-based MFA (default)
  2. 6-digit codes sent via email
  3. Configurable code validity period

  4. Built-in cooldown between requests

  5. Authenticator App (TOTP)

  6. Compatible with Google Authenticator, Authy, etc.
  7. SHA-512 algorithm
  8. 30-second time window

  9. 6-digit codes

  10. Backup Codes

  11. 8 single-use recovery codes (configurable)
  12. Generated when MFA is enabled
  13. Can be regenerated by user

Global MFA Settings

Admins can configure MFA requirements:

  1. Mandatory MFA
  2. Require all users to enable MFA
  3. Configurable allowed methods

  4. Email gateway must be configured first

  5. MFA Configuration Options 

    {
  "requireMfa": false,
  "allowedMfaMethods": ["email", "authenticator"],
  "emailCodeValidity": 5,        // minutes
  "backupCodesCount": 8,
  "mfaCodeCooldownMinutes": 1,
  "mfaCodeExpiryMinutes": 5,
  "mfaMaxAttempts": 3
}

User MFA Management

Enabling MFA for a User

Users can enable MFA through their profile: 1. Navigate to Profile → Security 2. Choose MFA method 3. Complete verification process 4. Save backup codes

Profile Settings User Profile Settings interface displaying account information, password change functionality, and MFA controls that reflect the authentication policies configured by administrators

Admin MFA Operations

Admins can: - View user MFA status - Disable MFA for a user (if not globally required) - Reset MFA settings in case of lockout

MFA Authentication Flow

  1. User enters username/password
  2. System validates credentials
  3. If MFA enabled, prompt for code
  4. User provides code via preferred method
  5. System validates code with retry limits
  6. Grant access upon successful verification

Session Management

Session Security Features

  1. JWT-based Authentication
  2. Configurable token expiry (default: 7 days)
  3. Secure HTTP-only cookies

  4. Refresh token support

  5. Account Security

  6. Failed login attempt tracking
  7. Automatic account lockout after threshold
  8. Configurable lockout duration
  9. Admin unlock capability

Session Configuration

{
  "maxFailedAttempts": 5,
  "lockoutDurationMinutes": 30,
  "jwtExpiryMinutes": 10080,  // 7 days
  "sessionTimeout": 60         // minutes of inactivity
}

Managing User Sessions

Account Lockout

When a user exceeds failed login attempts: 1. Account is automatically locked 2. User sees lockout message with duration 3. Admin can manually unlock via Admin → Users → Unlock

Session Monitoring

  • Last login timestamp tracked
  • Failed login attempts counted
  • Last failed attempt timestamp
  • Account lock status and duration

User Deactivation and Deletion

Account Deactivation

Admins can disable user accounts:

  1. Disable Account
  2. User cannot log in
  3. Requires disable reason
  4. Tracks who disabled and when
  5. Account data preserved

  6. Can be re-enabled later

  7. Enable Account

  8. Restores account access
  9. Clears disable reason
  10. User can log in again

Important Considerations

  • System users cannot be disabled
  • Disabled users' data remains intact
  • Active sessions are not immediately terminated
  • User deletion is not implemented (data retention)

Deactivation Process

  1. Navigate to Admin → Users
  2. Select user to disable
  3. Click "Disable Account"
  4. Provide reason for audit trail
  5. Confirm action

To re-enable: 1. Find disabled user 2. Click "Enable Account" 3. User can now log in

Audit Logging and User Activity

User Activity Tracking

The system tracks the following user activities:

  1. Authentication Events
  2. Login attempts (successful/failed)
  3. MFA verification attempts
  4. Password changes

  5. Account lockouts

  6. Account Modifications

  7. Profile updates
  8. MFA changes
  9. Password resets

  10. Role changes

  11. Administrative Actions

  12. User account modifications
  13. Password resets by admin
  14. Account enable/disable
  15. MFA resets

Audit Information Captured

For each auditable event: - Timestamp - User ID performing action - Target user ID (if applicable) - Action type - Additional context (e.g., disable reason) - IP address (where applicable)

Accessing Audit Logs

While a dedicated audit log viewer is not yet implemented, audit information is stored in the database:

  • Login tracking via last_login and failed_login_attempts
  • Account changes via disabled_by, disabled_at, disabled_reason
  • Password changes via last_password_change

Security Best Practices

  1. Regular Reviews
  2. Review user list for inactive accounts
  3. Check for users with excessive privileges

  4. Monitor failed login patterns

  5. MFA Enforcement

  6. Consider mandatory MFA for admin users
  7. Regular review of MFA methods in use

  8. Ensure email gateway configured for email MFA

  9. Password Policies

  10. Enforce strong password requirements
  11. Consider regular password rotation for admins

  12. Monitor for compromised credentials

  13. Account Hygiene

  14. Disable accounts promptly when users leave
  15. Regular review of admin role assignments
  16. Document reasons for account actions

Troubleshooting Common Issues

MFA Issues

Problem: User locked out of MFA - Solution: Admin can disable MFA for user, user re-enables

Problem: Email codes not received - Solution: Check email gateway configuration, verify email address

Problem: Authenticator app out of sync - Solution: Verify system time, consider increasing TOTP skew tolerance

Account Access Issues

Problem: User account locked - Solution: Admin unlocks account or wait for lockout duration

Problem: Password reset not working - Solution: Verify password meets policy requirements

Problem: Cannot modify system user - Solution: System users are protected and cannot be modified

Configuration Issues

Problem: Cannot enable global MFA - Solution: Configure email gateway first in Email Settings

Problem: Users bypassing MFA - Solution: Check global MFA requirement is enabled

API Endpoints Reference

For programmatic access, the following admin endpoints are available:

  • GET /api/admin/users - List all users
  • GET /api/admin/users/{id} - Get user details
  • PUT /api/admin/users/{id} - Update user
  • POST /api/admin/users/{id}/disable - Disable account
  • POST /api/admin/users/{id}/enable - Enable account
  • POST /api/admin/users/{id}/reset-password - Reset password
  • POST /api/admin/users/{id}/disable-mfa - Disable MFA
  • POST /api/admin/users/{id}/unlock - Unlock account

All endpoints require admin authentication via JWT token.