Our Password policy

In this help center article, we would like to go more into detail about the individual specifications of our password policy.

Required password change after initial login:

A default password is generated and sent to the fundraisers e-mail address as soon as a new user is created. This password will be valid until the first login of the fundraiser.
After the fundraiser has logged in for the first time, they will be asked to set a new password.

This newly set password will not lose its validity.

     

Exceptions: Users set up with a password via the data API do not have to change their password after logging in.
 

New password policy:

We have also changed our password policy in line with the latest security standards. The policy consists of two variants: regular and strict.

Regular password policy:
Applies to all fundraisers, trainers, team leaders, and job scouts

• Minimum length: 8 characters
• at least 1 letter and 1 number
• must not be similar to the user name or e-mail

Strict password policy:

Applies to all other users who are not covered by the regular password policy

• Minimum length of 10 characters
• at least 1 letter, 1 number, and 1 special character
• must not be similar to the user name or e-mail

If both guidelines would apply to a user due to their role, the stricter guideline is applied.

Account suspension:

After five failed login attempts, the account is blocked for one hour and you cannot log in during this time. This mechanism serves to protect against brute-force attacks. If it is a user error, another user with access to the admin area can unlock the locked user again.

This rule applies to all users in our system.

To unblock a blocked user, an authorized person must navigate to "Fundraiser" or "User", depending on the account type. Then select the blocked account using the checkbox on the left-hand side.



Then select "Reset login attempts" from the drop-down menu at the bottom of the screen and click on "Go".