Users choose or are assigned a default account password when they are registered with the Ares system. Staff can change an Ares user's password in the client by using the Change Password button in the Edit User form.
To change a user's password, you must first locate the user in the system by using the Search Users command. Click on the user to open the Edit User form.
- In the Edit User form, click the Change Password button on the Home ribbon to open the Change Password form.
- Enter the new password in the New Password and Verify Password fields and click OK.
- The new password is saved to the database and the user can now log into the Ares web pages using the new password.
Configuring User Expiration
As of Ares v5.0, several improvements to security have been implemented into the web dll allowing staff to specify password expiration policies for users and by updating an out-of-date password algorithm to a more modern option. To enable password expiration, the UserPasswordExpirationEnabled key must be set to 'yes'. This feature include the following new customization keys:
- UserPasswordExpirationEnabled - Determines if password can be set to expire in the client forcing the user to reset their password. Default: Yes.
- UserPasswordExpirationDays - Used to set the number of days before a password expires for a Staff member. Default: 180 days.
- WebPasswordHashingIterations - A hashing customization key used to set the number of hash iterations when storing a user password. The iterations store the hashed passwords as an algorithm for increased security. When a user logs in with a password, it will be compared with the hash algorithm to verify the password is correct before permitting clearance into Ares. If you wish to change the default iterations, it is highly recommended to contact support for the number of iterations that work best for the speed of your computer and the hash algorithm. Generally, hash iterations should not be set to less than 100,000. Default hash iterations: 156,000.
How the Password Change Date is Determined
In Ares 5.0, a new field was added to the Users database table named PasswordChangedDate. This field tracks the last time the user updated their password and is used in conjunction with the UserPasswordExpirationDays customization key to determine if a password is expired.
After updating to 5.0, by default, all web users will have a NULL value in the new 'PasswordChangedDate' field. This mean all web users (using Ares authentication not remote authentication) will be required to change their password the first time they login after the update. When this field is NULL, a successful login attempt will redirect the user to the ChangePassword form to update their password. They will not be able to navigate the Ares pages until the password change is complete. Once their password has been successfully updates, their password will be stored using the newer hashing algorithm.
Logon to Web for Expired Users
As of Ares v5.0 if a user's password is expired, or if the Force Password Reset box in the Client was checked, Reserves staff are still able to log in to the user's Ares account through the Logon to Web button in the client without triggering a password reset.