Password Management
Last updated 27/05/2024
How Passwords are Stored in Five
Passwords in Five and your application are stored as a one-way hash. Hashing is a one-way process that protects a password by turning it into a different and seemingly random string of characters. When you add a password for your online account, it is run through a mathematical algorithm and then stored in the database. When you log in, you'll enter your password, which is run through the same algorithm as before, it will then check that the hashed result matches the hashed password in the database. If everything lines up that you have entered the correct password, you will be signed in. A one-way hashed password cannot be restored, if your users of your Five account or your end-user application forget their password they will need to reset their password.
Reset Passwords
Let Users Reset Passwords
A user of your Five account or your end-user application has two ways they can reset their password. If they have forgotten their password and cannot log into their account, they can reset their password by clicking the Forgot Password button on the Sign In window. Alternatively, they can also change their password while being logged into Five or your end-user application. The steps on how a user can do this apply both to your Five account and to your end-user application.
Forgot Password
In the event a user forgets their password, they can click the Forgot Password button on the Sign In window and they will receive an email with directions on how to reset their password.
1. Click the Forgot Password button.2. Their username needs to be entered and then click the Reset Password button.
3. Click the Set Your Password button in the Reset Your Password email.
4. Enter and confirm the new password and click the Reset button.
5. Their username and new password needs to be entered and click the Sign In button.
User to Reset Password
A user of your Five account or your end-user application can change their password themselves using the Profile button while logged in.
1. Click the Profile button.2. Click the Change Password button.
3. Type your current password in the Current Password field.
4. Enter a new password and confirm it in the New Password and Confirm Password fields.
5. Click the Update Password button.
Password Strength
Strength in Five
For a user of your Five account, the password must meet the following criteria:
- 8 to 32 characters
- Have at least one symbol
- Have at least one number
If you do not reach this criteria, the Password field will be displayed in red and you will not be able to save the password.
Strength in Your End-user Application
You can determine the strength of the passwords that the users of your end-user application must fulfil. You will need to do this on the User Settings page on the Applications record. You have Five levels to choose from:
- Poor
- Weak
- Average
- Strong
- Very Strong
The Users form supplied by Five has our display type of _Password attached to the Password field. This will at a minimum make a user of your end-user application meet the criteria that is required to log into your Five account. Five also determines a password guessability through internal algorithms, and you can optionally enforce another layer of strength to passwords chosen by your users by selecting a password strength level.
For example:
A password of Abcdef123! satisfies the intial requirements. If you choose Poor, this kind of password would be acceptable, however choosing Very Strong, will be unacceptable.
To make this password accepted in this case, it would need to change to something such as: A1bc2d3!@#abc
Using a combination of the above, you can balance the right user experience and security for your appropriate customer base.
Locked Accounts
Once a user of your Five account has performed three failed log in attempts, their account will be locked. The Password Fails field on the Users form will display how many failed attempts a user has had.
By default, in your end-user application the number of failed log in attempts is set to 3, however, you can change this on the User Settings page on the Applications form.
Unlock a User's Account
1. Edit the Users record and click the Locked switch.2. Click the Save button in the form app bar.
Enforce a User to Change Their Password
You can enforce a user to change their password on their next login simply by turning the Password Update Next Login switch on. If you do this for a user that has forgotten their password you will need to provide them with a temporary password and this value must be saved in the Password field. When the user goes to log in to their Five account next time they will be forced to change their password using the Update Password window. This works exactly the same way in your end-user application.