Changing User Passwords in the Client

Print Friendly and PDF Follow

This article reflects some changes/features that are not yet publicly available. Ares v5.0 is in the final stages of testing. Once an official release date has been announced, this message will be updated with more information.

Users choose or are assigned a default account password when they are registered with the Ares system. Staff can change an Ares user's password in the client by using the Change Password button in the Edit User form.

To change a user's password, you must first locate the user in the system by using the Search Users command. Click on the user to open the Edit User form.

  1. In the Edit User form, click the Change Password button on the Home ribbon to open the Change Password form.
  2. Enter the new password in the New Password and Verify Password fields and click OK.
  3. The new password is saved to the database and the user can now log into the Ares web pages using the new password.

Configuring User Expiration

As of Ares v5.0, several improvements to security have been implemented into the web dll allowing staff to specify password expiration policies for users and by updating an out-of-date password algorithm to a more modern option. To enable password expiration, the UserPasswordExpirationEnabled key must be set to 'yes'. This feature include the following new customization keys:

  • UserPasswordExpirationEnabled - Determines if password can be set to expire in the client forcing the user to reset their password. Default: Yes.
  • UserPasswordExpirationDays - Used to set the number of days before a password expires for a Staff member. Default: 180 days. 
  • WebPasswordHashingIterations - A hashing customization key used to set the number of hash iterations when storing a user password. The iterations store the hashed passwords as an algorithm for increased security. When a user logs in with a password, it will be compared with the hash algorithm to verify the password is correct before permitting clearance into Ares. If you wish to change the default iterations, it is highly recommended to contact support for the number of iterations that work best for the speed of your computer and the hash algorithm. Generally, hash iterations should not be set to less than 100,000. Default hash iterations: 156,000.

How the Password Change Date is Determined

In Ares 5.0, a new field was added to the Users database table named PasswordChangedDate. This field tracks the last time the user updated their password and is used in conjunction with the UserPasswordExpirationDays customization key to determine if a password is expired.

After updating to 5.0, by default, all web users will have a NULL value in the new 'PasswordChangedDate' field. This mean all web users (using Ares authentication not remote authentication) will be required to change their password the first time they login after the update. When this field is NULL, a successful login attempt will redirect the user to the ChangePassword form to update their password. They will not be able to navigate the Ares pages until the password change is complete. Once their password has been successfully updates, their password will be stored using the newer hashing algorithm.

Force Reset

As of Ares 5.0, staff has the ability to force a password reset for web users. A checkbox was added to the change password dialog on the client's user form. If this option is checked, it will set the user's "PasswordChangedDate" field to null and trigger the password reset prompt for the user.

  

Logon to Web for Expired Users

As of Ares v5.0 if a user's password is expired, or if the Force Password Reset box in the Client was checked, Reserves staff are still able to log in to the user's Ares account through the Logon to Web button in the client without triggering a password reset. 

 

 

 

Questions?

If this article didn’t resolve your issue, please take a moment and answer a few questions to help improve our documentation:

Feedback