Password Management

ReachFive offers password management features en ensure that once signed up, a user can manage his or her password. If the user is logged in, they are to modify their passwords. If the user isn’t able to log in, the user can request a password reset. ReachFive also enables you to define a password policy for your account.

Password policy

ReachFive implements market standard password strength policies. In order to calculate a password’s strength, we rely on the zxcvbn password strength estimator.

In the ReachFive console (settings section), account administrators can define a password policy and minimum password length. When a new password is submitted by a user during sign up or password modification workflows, ReachFive will calculate the strength the password. It will then be accepted as a valid input, or rejected as an invalid input, depending on the strength calculated and the minimum strength requested by in your account settings.

A few exemples of password strength:

  • The password ft5YU,DSu8gH” will be considered excellent by the algorithm
  • The password azertyui will be considered to have a low strength by the algorithm
  • And the password 12345678 will be considered to have no strength at all

Update password when logged in

Via various SDKs, ReachFive offers the password update methods to which enable end users to update their own passwords. This is done through the updatePassword method.

In order to update a password, a user needs their oldPassword.

This protects the user from fraudulent password changes by checking that the user has access to the current password when making a change.

When this update is made, the ReachFive backend makes several checks:

  • Password length: if the password length is not appropriate, the backend will return a HTTP 400 and a message “Minimum length is X”.
  • Passworth strength. if the password strength is not in line with account settings, the update password won’t work and the backend will return a HTTP 400 with a “Password too weak” message.
  • Password unicity: the new password is compared to the oldPassword. If they’re the same, a HTTP 400is returned, with the message “password should be different from old password”
  • Old password check: verficiation that the old password entered is correct.

Reset password (when user is not logged in)

The ReachFive SDKs implement a requestPasswordReset method. This method triggers the dispatch of a password reset email to the user’s email address. To learn how to customise this email, please see our support documentaton.

When the method is used, the backend verifies:

  • The format of the email to which the email will be sent. If the email is incorrectly formatted, a HTTP 400is returned with an “invalid form” message.
  • The existence of the account. If the account doesn’t exist, a HTTP 404error is returned with the message “email not found”.

If the email is correctly formatted and exists:

  • An email is sent to the user. The email contains a reset token and a link. The link redirects the user to the URL chosen in the settings of the ReachFive account’s console.
  • On the page the user is redirected to, a ReachFive SDK must be running and must have the updatePassword command enabled. The reset token contained in the email will be automatically verified by the SDK. If the reset token is not valid, an explicite error will be generated: “invalid verification code”.
  • The user then proceeds to go through the updatePassword workflow, with a slight specificity regarding input parameters. The updatePassword command must use the user’s email address, the new password and the reset token as parameters.