¶ 1. Overview
Password reset is an essential process to ensure the security and continuous access to user accounts on the T6 platform. This procedure allows users to regain access to their accounts in cases of forgotten or compromised passwords. Password reset confirmation is carried out via an e-mail sent to the address previously registered by the user. This e-mail contains a verification link that must be used to complete the reset, ensuring that only the owner of the e-mail address has the capability to change the password. This authentication method is adopted due to its effectiveness in preventing unauthorized access and protecting users personal information.
¶ 2. Features
The password reset system is designed to provide a secure and efficient experience for users who need to regain access to their accounts. The system includes the option to initiate the reset directly from the login interface, where the user can request a confirmation e-mail by entering their username or registered e-mail address. The confirmation e-mail contains clear instructions and a temporary link (valid for 5 minutes) that must be used to create a new password.
¶ 3. Password Reset Configuration and Usage
The use of password reset is essential to maintain the security and accessibility of user accounts. It allows users to recover access to their accounts in case of forgotten passwords or suspected compromise.
We have a level of granularity that makes the password reset configuration applied hierarchically, with the priority being USER → GROUP → SYSTEM.
- The application will first respect the parameters applied at the User level, then at the Group level, and finally at the System level. Therefore, if the password reset is applied through the system parameter, and it is not enabled for the group or user, the reset will not be applied, as group and user settings take priority;
- The same applies in the opposite scenario. If the password reset option is enabled at the user level but not at the group or system level, the user will continue to have the password reset active.
¶ 3.1. E-mail Parameters
To use the Password Reset, we need to ensure that the system's e-mail parameters are configured correctly; otherwise, the user will not be able to receive the reset e-mails.
- We will edit the e-mail settings.
- Open the system menu, and under settings, select the Parameters option;
- A side panel will open, where we will select:
; - Within the e-mail settings, we will add the E-mail sender, which is the address that will send the e-mails;
- If the user uses encryption, we will enable the SMTP SSL (Secure Sockets Layer - Simple Mail Transfer Protocol) option;
- For SMTP Server Port, we recommend using the default port 587, although it can be changed according to the user's needs;
- For SMTP Server Password, we will use the same password that the user uses to log in to their e-mail;
- For SMTP Server, we will use an e-mail server (on T6 we use:
smtp.office365.com), but the client can choose their preferred server; - For SMTP Server User, we will use the e-mail of the user authenticating with the SMTP server, usually the e-mail of the user sending the e-mails, defined through the Access Control menu;
- Upon closing the panel, the changes will be in effect.
¶ 3.2. User Parameters
-
Open the system menu and, under Access Control, select Users;
-
Select the user to whom the parameters will be applied and click on:
, a side panel will open; -
All fields with * are mandatory. Pay close attention to the e-mail field, as this is the address to which the reset link will be sent;
-
There are switch buttons that can be enabled or disabled;
- Expire password each 30 day(s): Enable this to require the user to reset their password every 30 days;
- Force password change next time this user logs in: Enable this to require the user to reset their password on their next login attempt;
- Active user: Disable this option to deactivate a user, preventing them from logging in;
- Multi-Application administrator: Enable this to grant the user multi-application administrator permissions;
- Blocked: Enable this option to prevent the user from logging in. When the user attempts to log in, they will see a message stating incorrect username or password. Clicking Can't access your account? will send an e-mail to the user informing them of the lockout and requesting them to contact the system administrator.
-
Click SAVE to close the panel and proceed.
¶ 3.3. Password History
The Password History Check parameter will verify the user's previously used passwords, preventing a password that has been used before from being reused. Through this parameter, we can define how many previous passwords the system will check.
To configure it, follow these steps:
- Open the system menu and, under settings, select the Parameters option;
- A side panel will open, where we will select:
; - Within the system settings, locate the Password History Check parameter, which will have a default value of 0;
- The value added will reflect the number of previously used passwords by the user. For example, by adding 2, the last two passwords used by the user cannot be reused.
¶ 3.4. Usage
To use the password reset:
- On the login screen of the T6 Enterprise platform, at the footer, click on "Can't access your account?"
- The screen will change and prompt you to enter the registered username or e-mail to send the confirmation link;
- If the username or e-mail entered is valid, the following message will be displayed: "Check your e-mail and follow the instructions", confirming that the entered data was correct and an e-mail has been sent to proceed with the reset;
- Inside the e-mail registered by the user, there will be a link to proceed with the password reset and a message stating that the link is valid for 5 minutes (if the time expires, you will need to repeat the process).
- Clicking the link received by e-mail will return you to the platform's login screen but with fields to enter a new password and confirm the new password.
- If the new password and the confirmation match, the following message will be displayed: "Password successfully changed".
- If there is a discrepancy between the new password and the confirmation, the following message will be displayed: "Passwords must match", requiring you to re-enter the new password and confirmation.
- If you have entered a new password that matches one of your previous passwords, the reset will not be possible, and the following message will be displayed: "You have used this password before, try a new one".
- By correctly entering a new password and its confirmation, you will return to the login screen to enter the username and the newly created password, thus gaining access to the T6 platform.
If the user is Blocked or Inactive, attempting to use the password reset feature will send an e-mail informing the user of their status and requesting them to contact the system administrator!
¶ 4. Encryption
In T6 Enterprise, we previously used the SHA-1 encryption algorithm for generating user passwords. However, due to identified vulnerabilities in SHA-1, we decided to migrate to the SHA-256 algorithm. This update represents a significant improvement in security, as SHA-256 offers much greater resistance to collision and brute-force attacks.
SHA-256 offers various features and improvements compared to SHA-1. While SHA-1 generates a 160 bit hash, SHA-256 generates a 256 bit hash, providing an extra layer of security and significantly complicating attacks. SHA-256 is highly resistant to collision attacks, where two different inputs can produce the same hash, and brute-force attacks, where the original input can be guessed, due to its longer hash. This considerably enhances data security.
Additionally, SHA-256 is considered secure and robust, with no known vulnerabilities to date, ensuring data integrity and confidentiality, in contrast to SHA-1, which is vulnerable to modern attacks that exploit its weaknesses. It is ideal for T6 Enterprise, which requires a high level of security, such as password protection, user authentication, and ensuring the integrity of sensitive data. These features make SHA-256 a crucial upgrade over SHA-1, ensuring superior security and greater resistance against modern threats, reflecting our ongoing commitment to protecting user data.
Whenever a user is created or changes their password, the encryption used will be SHA-256. Even if the user changes the password and reverts to a previously used password, the generated hash will never be the same, altering the code with each change.