Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
typeflat
separatorpipe

...

Excerpt

Info

Password Requirements

Tenant admin can set a Password Strength Requirement at the tenant level. If Password Strength is set, a password strength meter appears when creating or updating a password. When Password Strength is left blank frevvo will still require a minimum password length of 8 characters.

Expand
titleClick here to learn more about passwords.

Good security is a desirable feature and is becoming mandatory with compliance initiatives like GDPR. This feature applies only to tenants using the default security manager.

Tenant admins can set password strength requirements on the Create Tenant or Edit Tenant screens. There are four password strength options (Fair, Good, Strong, Very Strong) or the field can be left blank if you do not want to enforce password strength. When you change the password strength requirement, users whose passwords do not comply will automatically be prompted to change their password on their next login. Tenant Admins can also expire passwords by checking Change Password on Next Login on the Edit User page. Users cannot use their old password or a temporary password as the new password.

Definitions of Password Strength

  • none - uses system default, enforces a minimum password of 8 characters
  • Fair - very guessable: protection from throttled online attacks. (guesses < 10^6) Strength Meter will indicate "Very weak."
  • Good - somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8) Strength Meter will indicate "Weak."
  • Strong - safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)
  • Very Strong - very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

A user creating or resetting their password will be required to meet the password strength specified by the tenant admin. Password strength is indicated as the user types by a Password Strength Meter visible below the entry. There are no specific length or character requirements, but the meter will detect the strength of the password based on the use of uncommon words or phrases and unpredictable use of capitalization, numbers, and special characters. Helpful suggestions appear to prompt the user towards a stronger password. Password length is limited to 100 characters and an error message will appear if the user attempts to enter more than 100 characters. Users cannot use their old password or a temporary password as the new password. Here are screenshots of what a user might see if the Tenant Password Strength is set to "Strong." Strong and Very Strong passwords use uncommon words or phrases and unpredictable use of capitalization, numbers, and special characters.

Tenant Admins can update current users or add new users by uploading a CSV file. For security, the CSV file does not include a password column. 

Setting notifyIfNewUser to TRUE causes frevvo to send an email notification to the user prompting them to create a password. The default setting for notifyIfNewUser is FALSE, which allows Admins to set up users without passwords initially, and notify them to create passwords later. 

  • Set notifyIfNewUser to TRUE to send new users and current users without a password an email to create a password. Current users who already have a password will not receive a notification, even if notifyIfNewUser is set to TRUE.
  • Set notifyIfNewUser to FALSE to not send an email notification.
Note

Password Reset email links will expire in 6 hours.

Users added manually will not get an automatic email prompt, but can be required to update their password on the next login. This is by design to allow Admin users to add users prior to production, and then notify them to update their password later.

...

Info

If you don't yet have an account, click Create One!to sign up for a free frevvo trial tenant.

...

  1. Enter Username userId@tenant and then click the Forgot Password link. The Password Change Request screen displays.

  2. A confirmation email is sent to the address associated with the frevvo user id. This link will expire in 24 hours.

  3. Click the link included in the email to reset your password with a temporary password. You will see the Password Changed screen.

  4. An email is sent to the address associated with the frevvo user id providing the reset password and a link to log in. 

  5. Click the link in the email to take you to the frevvo login screen. Login with your user and the temporary password from the email. 

  6. Click the Manage Account link in the top right corner of the screen.

  7. Change the password on the Manage Personal Information screen to one a password of your choice.

This method can be used to reset the password for tenant administrators and for the superuser (admin@d) for in-house installations.

Info

If a user tries to  access same email password reset link again after the password has been changed, they will be directed to the login page. If a user generates multiple password reset links, then uses one to change the password, then clicking on subsequent links will direct them to the login page.

The Forgot Password feature is not supported for frevvo users in a SAML tenant. If SAML tenant users browse the URL frevvo/web/login, enter their login id then click Forgot Password, they will see the error message "Password reset is not supported in the tenant."

...