This article covers everything you need to know about passwords in Higher Logic Vanilla (Vanilla).
Password requirements
- Password strength is determined by its length. The default minimum password length is 12.
- Numbers and special characters (!, @, etc.) are not required.
Are these default requirements strong enough for my site?
While these default password requirements may seem limited, the logic behind this implementation is as follows:
- Password requirements that are too strict may deter some people from registering.
- Logging in to your Vanilla Community is rate-limited to about one attempt per second. This technique helps prevent bots and bad actors from guessing passwords by brute force.
- While not forced upon them, users can still choose a strong password. Users are empowered to choose a stronger password by showing them the complexity of their choice as they type it (too short, good, strong).
Why aren't special characters required?
Some sites require numbers and special characters (!, @, etc.) for their passwords. This is not consistent with current best practices for the following reasons:
- Character variety has less impact on password strength than password length.
- Strict password requirements may conflict with the password generation of password-manager applications, which may result in less secure passwords.
Update your account password
You can update your account password at any time. To do so:
1. Click the MeBox, followed by your profile picture.
2. On the resulting page, select Edit Profile from the dropdown.
3. In the right sidebar, click Change My Password.
4. On the resulting page, enter your current password, followed by your new password (and confirmation).
✔️ TIP: As you type, the strength of your password is indicated via the bar below the New Password field. Vanilla recommends using passwords that reach the "Strong" indicator.
5. Click Change Password to apply the update.
📝 NOTE: Resetting your password clears all session data, meaning you'll now have to log in again on all your devices. If your password was compromised, this ensures a bad actor cannot stay logged in to your account on their device, as they'll be forced to log in again.
Update default minimum password length
With the default Vanilla community configuration, passwords must be a minimum of 12 characters in length. Admins can, however, change this at any time.
📝 NOTE: The minimum cannot be fewer than 8 characters.
- Access the Dashboard.
- Navigate to Settings > Technical > Security.
- The Password Minimum Length field indicates your current minimum length. Enter your desired minimum length and click Save.
Forgot password process
Like most sites, your Vanilla community makes it easy to recover your password in the event you've forgotten it.
1. On the Sign In page, click the Forgot? link.
2. On the Recover Password page:
- enter your account email address,
- check the I'm not a robot reCAPTCHA box,
- and click Request a new Password.
3. Upon receiving the system-generated email, follow the enclosed prompts to recover your password.
🛑 IMPORTANT: The link in the password-reset email message is valid for 1 hour; then it expires and you have to re-request the reset.
✔️ TIP: Vanilla recommends that you give the request time to process. If you request a password reset while one request is already in progress, the second request invalidates the first request.
