Password Configuration

Last updated 28/10/2024

The User Settings page enables you to configure the password for your application by setting the number of attempts that can be made to sign into your application before an account is locked and determine the password strength.

Who can Configure Passwords?

Please refer to the chapter Default Users and Roles.

Limit Failed Log In Attempts

For security reasons, you can limit the number of attempts a user can have signing into your application before the session is denied. The default value is 3. You can change this value by entering a small integer in the Allowed Password Fails field on the User Settings page. The user's account will be locked if the failed attempts are reached.

caution

When the number of attempts is set to zero, the number of attempts will be infinite, this is not recommended for security reasons.

1. Select the application record in the list.

2. Click the User Settings tab.

Figure 1 - User Settings tab

3. Either click the Edit button in the form app bar, or click directly in the Allowed Password Fails field.

Figure 2 - Edit button

4. Click the Cancel button in the Allowed Password Fails field and type a new integer.

5. Click the Save button in the form app bar.

Figure 3 - Save button

Add a Password Strength

A password strength needs to be selected from the list in the Password Strength field. The following gives you an overview for each of the strengths available.

• No Checking - Not recommended and should be used with extreme caution.
• Poor - Too guessable: risky password. (guesses < 10^3)
• Weak - Very guessable: protection from throttled online attacks. (guesses < 10^6)
• Average - Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
• Strong - Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
• Very Strong - Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

Additionally a password for your application must contain:

• A number
• A symbol
• A letter
• 8 to 32 characters in length

Five also allows an application to set a maximum number of allowed password fails before an account is locked which means that even a poor password strength becomes very difficult to crack since any attempt will lock the account after a small number of tries.

For further information on the enforcement of password strength please refer to: Low-Budget Password Strength Estimation.

The default value is Poor.

1. Select the application record in the list.

2. Click the User Settings tab.

Figure 4 - User Settings tab

3. Either click the Edit button in the form app bar, or click directly in the Password Strength field.

Figure 5 - Edit button

4. Click the lookup icon in the Password Strength field and select a strength.

Figure 6 - Password Strength field

5. Click the Save button in the form app bar.

Figure 7 - Save button

Reset a Password

When a user has reached their maximum attempts and their account is locked, you have two methods to reset their account. You can automate the process to enable the user to reset their password, or you can manually unlock their account and force them to change their password on their next login.

Enable a User to Reset Their Password

Automating a reset password email to a user that has locked their account will enable a user to reset their password. An email will be sent to the user with a URL link to reset their password. You will first need to add your SMTP settings and configure your password reset email template on the Mail page for the Instance record. In your reset password email template, you can add the password reset link variable, this will add a URL link that will enable a user of your application to reset their password.

Once a user has locked their account for your application, they will need to perform the following steps to reset their account.

1. Click the OK button for the Account Locked message.

Figure 8 - OK button

2. Click the Forgot Password button.

Figure 9 - Forgot Password button

3. Click the Reset button.

Figure 10 - Reset button

info

The user of your application will receive a message that a password reset link has been sent to their email address.

4. Click the OK button for the message and the user will need to check their email.

Figure 11 - OK button

5. Click the link provided in the email to be taken to the Reset Password window.

info

The password reset token will remain valid for 8 hours.

Figure 12 - Reset password link

6. Type a password in the Password field.

7. Confirm the password in the Confirm Password field.

8. Click the Reset button.

Figure 13 - Reset button

info

Your user will be taken to your Sign In window where they can now enter their username and new password.

Figure 14 - Sign In window

Manually Reset a User's Account

If a user's account is locked, you can manually unlock their account on the Users form. It will need to be performed by a user of your application that has permissions to the iUser table.

1. Log into your application.

2. Select the Users menu item.

Figure 15 - Users menu item

3. Either click the Edit button in the form app bar, or click directly in the Password field.

Figure 16 - Edit button

4. Type a new password in the Password field.

5. Click the Locked switch.

6. Click the Password Update Next Login switch.

info

The user's account will unlock with the Locked switch in a false state.

The user will be forced to change their password on their next login with the Password Update Next Login switch in a true state.

You will need to contact your user to give them the temporary password that you entered in the Password field.

Figure 17 - Edit uer record

7. Click the Save button in the form app bar.

Figure 18 - Save button