Guide

Password Information

This page gives a breakdown of how Aurora stores and handles passwords.

Suggest Edits

Storing

When someone registers as a member or an Aurora admin, they will choose a password.  This is stored within the Aurora database and is encrypted in a way, meaning we can never read it.  Every time someone logs in, it is comparing the encrypted password they entered against the encrypted password within Aurora to ensure a match.  

Restrictions

Passwords must be a minimum of 8 characters long.  

Aurora allows restrictions to be added to passwords, which include:

  • Must contain an uppercase character
  • Must contain a number
  • Must contain a character, e.g. $

These restrictions are in place for all Aurora Admins, but also when editing a password via the Members area.  They are not in place during a new user registering during the checkout process, as we do not want to cause unnecessary friction.  

📘

If someone attempts an incorrect password 5 times, it will lock the user out from being able to login. They will need to reset their password or have an Aurora admin reset it for them to allow them to login again.

Reuse

The reuse of Admin level passwords is configurable.

To configure the password reuse level use the configuration in Store > Settings > Security > Password Requirements > Admin Users.

Reuse can be set from 0 to 10 where 0 is reuse checking disabled. Reuse of passwords is set to 4 by default. The current password is included in the reuse checking so for example:

Reuse amount of 4 (default):

  • Current password
  • Previous password
  • Previous + 1 password
  • Previous + 2 password

Reuse amount of 2:

  • Current password
  • Previous Password

Reuse amount of 1:

  • Current password

Reuse amount of 0 (disabled):

  • No password reuse checking including current

📘

Changing reuse limit

Changing the number of reusable passwords will not come into effect until a user next changes their password.

e.g. Changing the number of reusable passwords from 4 to 2 will mean that when a user changes their password it will still check 4 previous passwords until the new password has been saved. It will then check for 2 for future changes.

Expiry

Admin passwords may be set to expire after a certain number of days.

Once enabled an admin user will be redirected to the change password screen if their password is older than the number of days configured.

To enable password expiry and the number of days to expiry use the settings in Store > Settings > Security > Password Requirements > Admin Users

Passwords can be set to expire between 1 and 365 days.

Password expiry is not enabled by default.

Forgot Password

When you request a forgotten password, Aurora sends a unique URL to the email address of the users

Updated 4 months ago