Good security is a desirable feature and is becoming mandatory with compliance initiatives like GDPR. This feature applies only to tenants using the default security manager.
Tenant admins can set password strength requirements on the Create Tenant or Edit Tenant screens. There are four password strength options (Fair, Good, Strong, Very Strong) or the field can be left blank if you do not want to enforce password strength. When you change the password strength requirement, users whose passwords do not comply will automatically be prompted to change their password on their next login. Tenant Admins can also expire passwords by checking Change Password on Next Login on the Edit User page. Users cannot use their old password or a temporary password as the new password.
Definitions of Password Strength
- none - uses system default, enforces a minimum password of 8 characters
- Fair - very guessable: protection from throttled online attacks. (guesses < 10^6) Strength Meter will indicate "Very weak."
- Good - somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8) Strength Meter will indicate "Weak."
- Strong - safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
- Very Strong - very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)
A user creating or resetting their password will be required to meet the password strength specified by the tenant admin. Password strength is indicated as the user types by a Password Strength Meter visible below the entry. There are no specific length or character requirements, but the meter will detect the strength of the password based on use of uncommon words or phrases and unpredictable use of capitalization, numbers and special characters. Helpful suggestions appear to prompt the user towards a stronger password. Password length is limited to 100 characters and an error message will appear if user attempts to enter more than 100 characters. Users cannot use their old password or a temporary password as the new password. Here are screenshots of what a user might see if the Tenant Password Strength is set to "Strong." Strong and Very Strong passwords use uncommon words or phrases and unpredictable use of capitalization, numbers and special characters.
Tenant Admins can update current users or add new users by uploading a CSV file. For security, the CSV file does not include a password column.
Setting notifyIfNewUser to TRUE causes Live Forms to causes frevvo to send an email notification to the user prompting them to create a password. The defaults setting for notifyIfNewUser is FALSE, which allows Admins to set up users without passwords initially, and notify them to create passwords later.
- Set notifyIfNewUser to TRUE to send new users and current users without a password an email to create a password. Current users who already have a password will not receive a notification, even if notifyIfNewUser is set to TRUE.
- Set notifyIfNewUser to FALSE to not send an email notifications.
Password Reset email links will expire in 6 hours.
Users added manually will not get an automatic email prompt, but can be required to update their password on next login. This is by design to allow Admin users to add users prior to production, and then notify them to update their password later.