Password Management

ReachFive offers password management features to ensure that, once signed up, a user can easily manage his or her password. If logged in, the users can modify their password. If not, users can request a password reset. ReachFive also enables you to define a password policy for your account.

Password security

ReachFive implements industry-standard password strength policies. To calculate a password’s strength, ReachFive relies on the zxcvbn password strength estimator, which is a more secure implementation than enforcing usual password security recommendations.

zxcvbn provides an estimate number of guesses needed to crack passwords:

Password examples Strength Guesses to break

password or P@ssw0rd

None

< 10^3

Password50 or Football1

Weak

< 10^6

P@sswod50&% or Football50&%

Medium

< 10^8

P@sswod50&%r5 or Football50&%r5

Strong

< 10^10

P@sswod50prntmps or Football50prntmps

Excellent

>= 10^10

Configure password policy

You can enforce specific password policy constraints via the ReachFive Console. This includes minimum length, case requirements, supporting special characters, and more.

To configure your password policy via the ReachFive Console:

password policy screen

  1. Go to Settings  Security  Password policy.

  2. Select your Minimum strength from the dropdown menu and any special requirements.

  3. Select your Minimum length and any special requirements.

    Special requirements:

    • Support Special characters and spaces

    • Digit characters

    • Uppercase characters

    • Lowercase characters

  4. Click to Reset long lived token when resetting password if so desired.

    If you enable this option, when users resets their password, all active sessions and tokens are revoked.

  5. Click to Allow password update with a fresh access_token if so desired.

    If this option is disabled, users are not able to update their password with only a fresh access_token (less than 5 minutes). Instead, their old password or a verification code is required. You will encounter the following error if they try to update their password with only a fresh access_token:

    {
  "error_id": "nLHI8xFLBV",
  "error_description": "Invalid request",
  "error": "invalid_request"
}

  6. Don’t forget to Save your input.

Update password once logged in

Via our SDKs, ReachFive offers the password update methods to which enable end users to update their own passwords. This is done through the updatePassword method.

To update a password, a user needs their current password (oldPassword).

This protects the user from fraudulent password changes by checking that the user has access to the current password when making a change.

When this update is made, ReachFive makes several checks:

Password length

The password must be long enough.

Password strength

The password must comply with the defined strength.

Old password check

The current password must be correctly input.

Password uniqueness

The new password must be different from the current.

Password constraints

The new password must comply with defined password constraints.

For more information see Errors.

Reset password (when user is not logged in)

ReachFive SDKs implement a requestPasswordReset method. This method triggers the dispatch of a password reset email to the user’s email address.

To learn how to customise this email, please see Email templates.
Password reset flow

  1. When the method is used, the backend verifies:

    • The format of the email to which the email will be sent.

    • The existence of the account.

      • If the email is incorrectly formatted, an HTTP 400 error is returned with an "invalid form" message.

      • If the account doesn’t exist, an HTTP 404 error is returned with the message "email not found".

      • If the email is correctly formatted and exists, an email is sent to the user.

  2. The email contains a reset token and a link. The link redirects the user to the URL set in the ReachFive Console account settings.

    On the page the user is redirected to, a ReachFive SDK must be running and must have the updatePassword command enabled.

  3. The reset token contained in the email will be automatically verified by the SDK.

    If the reset token is invalid, an explicit error is generated like so: "invalid verification code".

  4. The user then proceeds to go through the updatePassword workflow, with certain input parameters.

    The updatePassword command must use the user’s email address, the new password and the reset token as parameters.

Errors

Error HTTP status code Error message Error description

invalid_grant

400

Minimum length is X

The password’s length does not match the minimum length.

invalid_grant

400

Minimum special characters required is 1

The password does not contain a special character.

invalid_grant

400

Minimum uppercase characters required is 1

The password does not contain an uppercase character.

invalid_grant

400

Minimum digit characters required is 1

The password does not contain a digit.

invalid_grant

400

Password too weak

The password is too weak, as determined by zxcvbn.

invalid_grant

400

New password should be different from the old password

The new password cannot be the same as the current one.

invalid_grant

401

Invalid old password

The password is not correct.