We would like a way to implement/enforce password rules so, for example, users would need to include a capital letter, a number and a symbol in their password in order for it to be accepted.
This would enhance the (perceived) security of the data contained in our app.
This feature, being able to requiring longer and more complex passwords, is now available for customers on Pro, Corporate and Plus plans!
Details can be found in our "Live App Security Settings: Passwords" article. Functionality includes options to require:
Other options include setting a password to expire every 60 days and not allowing the last 3 passwords to be re-used.
Consider using Knack's built-in validation rules (applied to fields). You're able to configure the rules to ensure the password contains a number (can be configured to check for a symbol as well). Also, you may configure the minimum or maximum length of the password.
I think your development environment is really great! I really like the built in authentication capability.
However, Knack fails the street readiness test because of a single issue. A 1 character password can be entered and the system accepts it! This is not serious security for any real business application. So here is my proposed specification for a password control form that the application administrator would complete when setting up the app. This is something that all applications need, and I would encourage it be addressed at the earliest opportunity.
Password Complexity Functional Requirements:
There should be a positive integer field that allows the application admin to specify the minimum number of characters allowed for a password candidate to be accepted by the system. The default value for this is 6.
There should be a checkbox that indicates that a minimum of 1 lowercase character, and is required in the password for a password candidate to be accepted by the system. This checkbox is checked by default.
There should be a checkbox that indicates that a minimum of 1 uppercase character is required in the password for a password candidate to be accepted by the system. This checkbox is not checked by default.
There should be a checkbox that indicates that a minimum of 1 numeric character is required in the password for a password candidate to be accepted by the system. This checkbox is not checked by default.
There should be a checkbox that indicates that a minimum of 1 special character is required in the password for a password candidate to be accepted by the system. This checkbox is not checked by default.
Any password characters that do not have a visible representation on the screen should cause the password to be rejected by the system. For example, space and tab and control characters would not be acceptable.
All passwords that are rejected by the system should cause a specific, meaningful error message to be displayed to the user. For example, the error message should allow the user to determine that the password was rejected because it has less than the minimum number of required characters. The error message would also report what the minimum number of characters is.
Incorrect Password Attempts -,Account Lockout Functional Requirements
There should also be a positive integer field greater than zero that allows the application admin to specify the minimum number of characters allowed for a password candidate to be accepted by the system. The default value for this is 5. The user account should be locked out any time the number of incorrect password attempts in the past hour exceeds the value of this field.
Self-service Account Reset Functional Requirements.
The system should also support a link that would allow the user to request an account reset. Activating this link would send an email to the user with instructions on re-enabling the account and on resetting the password.
The email would contain a link that would allow the account to be reset.
The email would contain a link that would send the user to a form that would allow them to reset their password.
Resetting the account would allow the system to ignore all previous incorrect password attempts.
The system should also support a form to allow the application administrator to reset any disabled accounts.
Any auto generated password should conform to the requirements specified by this form.
End of Functional Requirements
I think this requirements spec is fairly complete. It should not take too long to implement this. And every app would benefit. Thanks for your attention to this.