Vanilla Forums Documentation Registration & SSO

Account Password Overview

This article covers everything you need to know about passwords in Higher Logic Vanilla (Vanilla).

Password requirements

Password strength is determined by its length. The default minimum password length is 12 characters. Refer to Manage the default minimum password length, below, for information on how to set a different default length.
Numbers and special characters (!, @, etc.) are not required.

Is this default length requirement strong enough for my site?

While this default length requirement may seem limited, the logic behind this implementation is as follows:

Password requirements that are too strict may deter some people from registering.
Logging in to your Vanilla Community is rate-limited to about one attempt per second. This requirement helps prevent bots and bad actors from guessing passwords by brute force.
Numbers and special characters, while not required, are not forbidden. This allows users the freedom to create passwords that work for them.

Why aren't special characters required?

Some sites require numbers and special characters (!, @, etc.) for passwords. This is not consistent with current best practices for the following reasons:

Character variety has less impact on password strength than password length.
Strict password requirements may conflict with the password generation of password-manager applications, which may result in less secure passwords.

Change your account password

You can change your account password via your user profile.

1. Click the MeBox, followed by your profile picture.

2. Select Edit Profile from the dropdown.

3. Under Account & Privacy Settings, click the pencil icon in the Password section.

4. On the Change password overlay dialog:

specify your current password,
specify and confirm your new password, and
click Save.

On the dialog, note the:

required minimum length displays below the New Password field and the
"Passwords Match" validation below the Confirm New Password field.

📝 NOTE: Changing your password clears all session data, so you'll now have to log in again on all your devices. If your password was compromised, this ensures that a bad actor cannot stay logged in to your account on their device — they are forced to log in again.

Manage the default minimum password length

Admins can manage the default minimum password length for their Vanilla community.

📝 NOTE: The minimum cannot be fewer than 8 characters.

Access the Dashboard.
Navigate to Settings > Technical > Security.
The Password Minimum Length field indicates your current minimum length requirement. Specify your preferred minimum length and click Save.

Forgot password process

Your Vanilla community makes it easy to recover your password in the event you've forgotten it.

1. On the Sign In page, click the Forgot? link.

2. On the Recover Password page:

specify your account email address,
check the I'm not a robot reCAPTCHA box, and
click Request a new password.

📝 NOTE: This process requires you to create a new password; you cannot retrieve or recover your current, forgotten password.

3. In the system-generated reset-password email message, click the link to continue the new-password process.

🛑 IMPORTANT: The link in the reset-password message is valid for 1 hour; then it expires and you have to re-start the process.

4. On the Reset my password page:

the required minimum length is indicated (and rated as you type),
specify and confirm your new password, and
click Save your password.

You're logged in to your Vanilla community.

✔️ TIP: Vanilla recommends that you give the request adequate time to process. If you request a password reset while one request is already processing, the second request invalidates the first request.