Password Configuration
Last updated 28/10/2024
The User Settings page enables you to configure the password for your application by setting the number of attempts that can be made to sign into your application before an account is locked and determine the password strength.
Who can Configure Passwords?
Please refer to the chapter Default Users and Roles.
Limit Failed Log In Attempts
For security reasons, you can limit the number of attempts a user can have signing into your application before the session is denied. The default value is 3. You can change this value by entering a small integer in the Allowed Password Fails field on the User Settings page. The user's account will be locked if the failed attempts are reached.
2. Click the User Settings tab.
3. Either click the Edit button in the form app bar, or click directly in the Allowed Password Fails field.
4. Click the Cancel button in the Allowed Password Fails field and type a new integer.
5. Click the Save button in the form app bar.
Add a Password Strength
A password strength needs to be selected from the list in the Password Strength field. The following gives you an overview for each of the strengths available.
- No Checking - Not recommended and should be used with extreme caution.
- Poor - Too guessable: risky password. (guesses < 10^3)
- Weak - Very guessable: protection from throttled online attacks. (guesses < 10^6)
- Average - Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)
- Strong - Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
- Very Strong - Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
Additionally a password for your application must contain:
- A number
- A symbol
- A letter
- 8 to 32 characters in length
Five also allows an application to set a maximum number of allowed password fails before an account is locked which means that even a poor password strength becomes very difficult to crack since any attempt will lock the account after a small number of tries.
For further information on the enforcement of password strength please refer to: Low-Budget Password Strength Estimation.
The default value is Poor.
1. Select the application record in the list.2. Click the User Settings tab.
3. Either click the Edit button in the form app bar, or click directly in the Password Strength field.
4. Click the lookup icon in the Password Strength field and select a strength.
5. Click the Save button in the form app bar.
Reset a Password
When a user has reached their maximum attempts and their account is locked, you have two methods to reset their account. You can automate the process to enable the user to reset their password, or you can manually unlock their account and force them to change their password on their next login.
Enable a User to Reset Their Password
Automating a reset password email to a user that has locked their account will enable a user to reset their password. An email will be sent to the user with a URL link to reset their password. You will first need to add your SMTP settings and configure your password reset email template on the Mail page for the Instance record. In your reset password email template, you can add the password reset link variable, this will add a URL link that will enable a user of your application to reset their password.
Once a user has locked their account for your application, they will need to perform the following steps to reset their account.
1. Click the OK button for the Account Locked message.2. Click the Forgot Password button.
3. Click the Reset button.
4. Click the OK button for the message and the user will need to check their email.
5. Click the link provided in the email to be taken to the Reset Password window.
6. Type a password in the Password field.
7. Confirm the password in the Confirm Password field.
8. Click the Reset button.
Manually Reset a User's Account
If a user's account is locked, you can manually unlock their account on the Users form. It will need to be performed by a user of your application that has permissions to the iUser table.
1. Log into your application.2. Select the Users menu item.
3. Either click the Edit button in the form app bar, or click directly in the Password field.
4. Type a new password in the Password field.
5. Click the Locked switch.
6. Click the Password Update Next Login switch.
The user's account will unlock with the Locked switch in a false state.
The user will be forced to change their password on their next login with the Password Update Next Login switch in a true state.
You will need to contact your user to give them the temporary password that you entered in the Password field.
7. Click the Save button in the form app bar.