Changes to password features
in Revive Adserver v5.4.0 and above
This page details the changes and improvements regarding passwords that have been implemented in version 5.4.0 and above of the Revive Adserver software.
Password hashing improvement
In Revive Adserver version 5.4.0, we’re implementing a new, more modern and safer method of storing password hash values. Passwords are no longer hashed using the MD5 method, instead the much safer bcrypt hashing method is being used.
Additional password safety improvements
We’ve also implemented some extra password safety features in Revive Adserver v5.4.0:
- When a new user is created, the software will send an email to the email address of the new user, with a link that enables them to enter their own password. This replaces the old process of entering both the username and the password for a new user, and then sending these credentials to the new user.
- When a new user is setting up their initial password, or when an existing user changes their password, a password strength indicator helps them to ensure a strong password is chosen. There is also a new feature to define the minimum length requirements for newly entered passwords.
- By default, the minimum password length is set to 12 characters. This can be changed in the configuration file.
- Revive Adserver should now also work more closely with password managers, so that the password manager can suggest a strong password, and can more reliably recognize passwords being entered and then offer to store them.
- After updating to version 5.4.0 or above, when an existing user attempts to log in, the software will first send them an email with a link to enter a new password. This new password will be subject to the minimum length requirement mentioned above, and the password strength indicator will also be displayed for guidance. Users will not be able to log in until after they’ve entered a new password.
- When a user has requested a password recovery email, clicking the link in that email will bring up a similar screen with a password strength indicator and a minimum password length validation.
Technical requirements
It has always been important to run Revive Adserver on a server that is capable of sending out emails. But as you can see from the improvements listed above, the ability to process outgoing email is now critical.
We strongly recommend checking if the server is capable of sending emails before updating to v5.4.0. One way to do this is to simply request a password recovery email for your own existing username.
If the email arrives, you’re good to go. If not, then you should install and/or configure an outgoing email system first, or ask your hosting provider or system administrator to assist you with that.
Updating to Revive Adserver 5.4.0 or above
During the update process, there are a few steps in 5.4.0 and above that are new in comparison to earlier versions. These steps will only be performed when an existing system that’s older than 5.4.0 is being updated to version 5.4.0 or above, and only once.
These steps are:
- The update wizard has always been restricted to system administrators. It would check if the system administrator is already logged in, and if not, it will prompt the user to enter the username and password of an existing system administrator.
- New in this version is that the update wizard will always require entering the username and password of the system administrator, and after this has been done successfully, the password will be hashed using the bcrypt method.
- After the update is completed, any existing user will also have to set a new password that will then get hashed with the bcrypt method, as outlined at the start of this page.
Creating new users
Once you’re running Revive Adserver v5.4.0 or above, creating a new user no longer requires that you enter their password as well. Instead, all you have to enter is their username, their full name, and their email address. You can also select the user interface language for the new user, and the system will appear in that language (assuming the translation has been created).
Clicking the “Add user” button will trigger an email to be sent to the new user, with instructions about how to proceed and a link that enables them to enter their initial password.
User passwords checking tool
A new tool has been created that enables system administrators to check if users haven’t updated their password yet, and even to send such users an email urging them to enter a new password.
You can find this tool by logging in as a system administrator, and then clicking the Configuration tab at the top of the screen. Next, click the “Maintenance” link in the menu in the left column, and then in the middle of the screen select the “User passwords” section. After reading the instructions, click the “Check user passwords” link.
A two part screen will now appear. In the first part, you will see a list of “Users requiring password reset” (if any). In the second part, you will see a list of “New users who haven’t set their password yet” (if any).
You can tick the checkboxes for any users you want to prompt to set their new password, and then click the “Send email(s)” button. Each user you’ve checked will then get the appropriate email explaining what they need to do.
Passwords and the API
With regard to developers and administrators using the API in Revive Adserver to access and manage their installation, there are a few points that are worth mentioning:
- When using the API to create a new user, it is still possible to send both the username and the password, as before, for backward compatibility. When you change your API implementation and omit the password during user creation, the new “welcome new user” email will get triggered, with the link in it that enables the new user to set their own password.
- The username and password being used for API access will work regardless of the hash type, to ensure that API implementations will remain operational after updating to Revive Adserver v5.4.0. We strongly recommend going through the password recovery process with the username in use for the API and setting a new password for it, which will then also be hashed and stored with the new hash format.