Enhanced Encryption for Stored Passwords

Print Friendly and PDF Follow

These release notes describe functionality that may not have been released yet. To see when this functionality is planned to release, please review What's new and planned for Ares. Delivery timelines and projected functionality may change or may not ship.


Features

Encryption for Stored Passwords 

Staff passwords will be stored with enhanced encryption methods using the Password-Based Key Derivation Function 2 (PBKDF2) hashing strategies. The iterations (default value: 156,000) store the hashed passwords as an algorithm. When a user logs in with a password, it will be compared with the hash algorithm to verify the password is correct before permitting clearance into Ares.

The default value can be changed in the Customization Manager by change the value of the StaffPasswordHashingIterations key. If you wish to change the default iterations, it's highly recommended to contact support for the number of iterations that work best for the speed of your computer and the hash algorithm. Generally, hash iterations should not be set to less than 100,000. 

Default Password Requirement

The default validation rule for passwords now requires at least eight characters with at least one lowercase letter, one uppercase letter, and one number, and is expressed by this regular expression:

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$

The default password requirement can be edited to fit specific institution needs. This is done by simply editing the regular expression that sets the password requirement in the Customization Manager.

  

Impact

  • All patron users that have an Authentication Method equal to Ares will be required to reset their password upon the first login after the Ares 5.0 update. This does not affect RemoteAuth or LDAP users.
  • All staff will need to change their Ares client password upon login, after the update.
  • A Force Reset checkbox has been added to the Client's change password form generated on the FormUserInfo. When checked, the force reset will prompt the user to reset their password upon attempting to login.
  • A Force Reset checkbox has been added to the Staff Manager's change password form for a selected user. When checked, the force reset will prompt the Staff member to reset their password upon attempting to login. This allows a staff member to force their own password reset.
  • The autocompletion feature has been disabled on all password fields in the default pages. This prevents the fields from storing and pre-populating secure information such as passwords.
  • The WebPasswordHashingIterations and StaffPasswordHashingIterations customization keys have been added to set the number of hash iterations (default value: 156,000 iterations) when storing a password.

 

Questions?

If this article didn’t resolve your issue, please take a moment and answer a few questions to help improve our documentation:

Feedback