Enforcing Password Security for Registrants
Admins are able to require registrants to create strong and complex passwords following any criteria they choose, using Regular Expressions. For example, one set of criteria could be:
- Password must be at least 8 characters in length.
- If password is under 16 characters in length, it must contain at least three of the four character types.
- If password is 16 characters or more, it may contain only one character type.
By default all passwords must be at least 6 characters in length.
Passwords in Email Autoresponders
It is good security practice to never include plain-text passwords in emails sent to users. However, there are some scenarios in which we do include a password in plain text — namely, when the system generates a password and we want to inform the user of what it is (otherwise they will not know what their password is). In these scenarios the user is encouraged to change their password once they log in. These scenarios are:
- A user registers (on quick registration) by clicking the "Sign up with Facebook" button
- A donor registers after donating
- A user invites another user through detailed registration
The registration autoresponders are designed such that the password will only be displayed in these scenarios.