At we take security very seriously. Your data security is important to us which is why we have provided a set of password configuration options that allow administrators to enforce even the most stringent password security requirements.

Default settings for passwords

As soon as you log in as an administrator to your account, you will find these three password configuration options grouped together under the Settings > Security tab.

The default settings above will remain in effect until you change them.

Password recovery via email

By default, registered users are allowed to reset their passwords without the need to involve an administrator. When a user chooses to reset their password, they are provided a Forgot your password? link on the Login Page.

After clicking that link, the user will taken to the Forgot your password? page where they will be prompted for either their Username or Email address.

After the user enters their information and clicks the Recover Password button, an email will be sent containing a link for resetting their password. After following the email link the user will be taken to the Set your new password page.

Two important caveats should be noted for sites using the Password recovery via email feature: 1. If a user’s email account has been compromised without their knowledge, this will allow the person who gained unauthorized access to that user’s email account to also reset the user account and gain access to that user’s files and folders. 2. When creating user accounts on, it is possible to create new user accounts without email addresses. Any user account created without a valid email address will not be able to use this feature.

Password restrictions

Similar to most password managers, allows administrators to define up to six different password requirements so that they can meet or exceed your organization’s security requirements for secure passwords:

  1. The number of new password cycles a user must generate and use a new password before they are allowed to choose a previously used password
  2. The minimum length of a password
  3. Does the password need any letters, or can it be all numeric and/or special characters?
  4. Will a password be valid without containing at least one number (0-9) in it?
  5. Are passwords required to contain at least one non-alphanumeric character, like symbols or punctuation?
  6. Should passwords require both upper and lowercase letters?

As mentioned in the in-app documentation above, the first option, the restriction on reusing previous passwords can be overridden with a value of 0. This feature is used mainly in combination with the Password expiration setting or via a manual password reset by an administrator.

Password expiration

A common security requirement for many organizations is setting the maximum age for passwords. If your organization requires passwords to be changed at fixed intervals, then this option will allow your users to maintain compliance.

Password expiration has been historically used to guard against brute force attacks on user accounts. Since automatically offers brute force protection (see Settings > Security > Brute force protection) you may want to reconsider enabling this feature after reading this article from the Federal Trade Commission, Time to rethink mandatory password changes: > “Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.”