Password

The password field is used to store a User's Password. This field can be used to create interfaces for customizing your Users' password entry interfaces. When a password is entered by a User it is one-way encrypted, so the plain text of the password they entered can never be retrieved. For example, if a user entered “MyDogsNameIsFido” as their password, what is stored is likely closer to dkw9t8fdsaASFe434198fdsaasds8r.

Note: Once they have updated their password using this field it needs to be copied to their User Records' Password Field so it can be used up when they log in. The Password that's stored in the “Password”, e53, Field on the User Record is the password that will be used when they log in.

How to Create

  1. Click the to add a field in your form.
  2. Choose “New Field”
  3. Select the table you wish to add the field to. Most of the time, this will be the current table you are on, called the current context.
  4. Select a field name and click “Choose Type”.
  5. Choose “Password” from the list of field types.
  6. You can continue adding fields or click the “Select” button to finish adding.

Features

Field features can be edited by clicking on the orange field icon when the presentation layer is displayed.

Field Label

Grid Appearance

Sizing

Tooltip

Block Association

Validation

View Only

Acceptable inputs

The password field's acceptable inputs can be modified by the settings under Validation, allowing for customized password strengths.

Filters

The password field can not be filtered, since the password they entered is one way encrypted and can't be retrieved.

Password Security

Password security is an important issue for any application that stores passwords. WorkXpress is committed to making sure that software developers have the proper tools to build secure password systems. Part of that commitment means that we store passwords using enterprise level security. When a password is stored in WorkXpress the value is hashed so that password provided can not be directly derived from the stored values. For the end user this means that they can be given their password, in the case that they forget it, and they can only change it. Their password cannot be retrieved by anyone, not even WorkXpress staff.

When a password is stored in WorkXpress we use a cryptographically-strong random string as a salt to guarantee that each hash is unique. This means that if two users use the same password or if a user “changes” their password to the same password they had the value stored in the database is different. This is important because if a list of passwords from a WorkXpress application does get compromised then each individual password must be cracked by the attacker, limiting the amount of data that they can compromise. The hashing method used by WorkXpress is called PBKDF2 using the SHA256 hash. This means that it takes approximately 1 second to verify a value entered against a stored password. The one second time is slow enough to make a brute force attack against a password unfeasible without compromising end user usability.

For more information regarding password security please checkout this article provided by OWASP.

Value Comparison

Because the Password storage mechanism creates a unique hash of the password, comparing two stored values that come from the database will not work. It is possible to compare the value entered in the interface to a value stored in the database, or the value from the interface to another value from the interface because the values from the interface have not yet been hashed. This allows the software developer to generate validations that compare the password entered on the screen to a second password field on the screen to implement a Password and Confirm Password system. It is also possible to check the value on the screen to a value stored in the database so that the application developer can recreate password authentication outside of the login screen if an operation would require the user to re-enter a password or allow the software developer to make sure the password that the user is changing is different from the current one.

Below is an example of two comparison operations. The first compares the interface values from the “Login Information” Form of the Application and Confirm Application Password Fields and the second compares the interface value of the Application Password Field to the value stored in the database for the User's Password field.

field type - password.txt · Last modified: 2016/09/14 18:19 (external edit)
Copyright WorkXpress, 2024