Password Management

ReachFive offers password management features to ensure that, once signed up, a user can manage his or her password. If logged in, the users can modify their password. If not, users can request a password reset. ReachFive also enables you to define a password policy for your account.

Password security

ReachFive implements industry-standard password strength policies. To calculate a password’s strength, ReachFive relies on the zxcvbn password strength estimator, which is a more secure implementation than enforcing usual password security recommendations.

zxcvbn provides an estimate number of guesses needed to crack passwords:

Password examples Strength Guesses to break

password or P@ssw0rd

None

< 10^3

Password50 or Football1

Weak

< 10^6

P@sswod50&% or Football50&%

Medium

< 10^8

P@sswod50&%r5 or Football50&%r5

Strong

< 10^10

P@sswod50prntmps or Football50prntmps

Excellent

>= 10^10

In the ReachFive Console, in Settings  Security  Password Policy  Minimum Strength, select the password strength from Weak to Excellent.

Password policy constraints

While not recommended, you can enforce specific password policy constraints such as a minimum length, use of lowercase, uppercase, or special characters in the ReachFive Console.

password policy constraints

With ReachFive widgets, users get live feedback when creating, editing, or resetting their password, based on these constraints.

showAuth signup custom rules

Update password once logged in

Via various SDKs, ReachFive offers the password update methods to which enable end users to update their own passwords. This is done through the updatePassword method.

To update a password, a user needs their current password (oldPassword).

This protects the user from fraudulent password changes by checking that the user has access to the current password when making a change.

When this update is made, ReachFive makes several checks:

Password length

The password must be long enough.

Password strength

The password must comply with the defined strength.

Old password check

The current password must be correctly input.

Password uniqueness

The new password must be different from the current.

Password constraints

The new password must comply with defined password constraints.

For more information see Errors.

Reset password (when user is not logged in)

ReachFive SDKs implement a requestPasswordReset method. This method triggers the dispatch of a password reset email to the user’s email address. To learn how to customise this email, please see our support documentation.

When the method is used, the backend verifies:

  • The format of the email to which the email will be sent.

  • The existence of the account.

If the email is incorrectly formatted, an HTTP 400 error is returned with an "invalid form" message. If the account doesn’t exist, an HTTP 404 error is returned with the message "email not found".

If the email is correctly formatted and exists, an email is sent to the user.

The email contains a reset token and a link. The link redirects the user to the URL set in the ReachFive Console account settings.

On the page the user is redirected to, a ReachFive SDK must be running and must have the updatePassword command enabled.

The reset token contained in the email will be automatically verified by the SDK.

If the reset token is not valid, an explicit error will be generated: "invalid verification code".

The user then proceeds to go through the updatePassword workflow, with a slight specificity regarding input parameters.

The updatePassword command must use the user’s email address, the new password and the reset token as parameters.

Errors

Error HTTP status code Error message Error description

invalid_grant

400

Minimum length is X

The password’s length does not match the minimum length.

invalid_grant

400

Minimum special characters required is 1

The password does not contain a special character.

invalid_grant

400

Minimum uppercase characters required is 1

The password does not contain an uppercase character.

invalid_grant

400

Minimum digit characters required is 1

The password does not contain a digit.

invalid_grant

400

Password too weak

The password is too weak, as determined by zxcvbn.

invalid_grant

400

New password should be different from the old password

The new password cannot be the same as the current one.

invalid_grant

401

Invalid old password

The password is not correct.