Passwords will no longer be auto-completable when logging in

Fixably will send a request to disable auto-completion of passwords to the browser. Some browser extensions may be able to bypass this.
 

Users are logged out after continuous failed login attempts.

• Fixably checks to see if a User has been suspended or marked as inactive.
• In case of a brute-force login attempt, the User will be logged out, and their account will be marked as suspended. This will prevent the User from logging in again.
• Fixably Administrators can restore a suspended User account via the Edit User option. A red alert will be visible at the top of the form. Suspended or banned Users are also identifiable from the Navigation Sidebar and selecting Users. This will be visible for both Employees and Customers.
• Fixably Administrators can be locked out of the system. A notice is issued to the User asking them to contact their local administrator or Fixably support.
   

Passwords are required to have a stronger and more sufficient complexity.

• A User cannot pick a password that is one of their previous five passwords.
• A User may only change their password once per hour. If issued a temporary password they must wait one hour before changing it. 
• New passwords MUST contain at least 8 characters, 1 symbol, 1 number, and mixed-case characters.
• New passwords must NOT contain parts of a User's first name, last name, or email. For example, a User named Janne may not choose a password with J4nne, Jann3, etc.
• If the system needs to issue a temporary password to a User, it will always be 16 characters long and follow the same rules mentioned above.
   

Passwords expire after 120 days and must be changed.

Fixably will display a notification 14 days before the password expires on every page in the User interface, next to the menu in the top right corner. 
 

Passwords can be reset using challenge questions.

Fixably Administrators can find a new option in the System Settings > Security for enabling password reset by challenge questions. This feature is automatically enabled if one of the following conditions is met:

• If the Quickbooks Online integration is marked as "Enabled" in the integrations menu.

This feature may be forcefully disabled if all of the following conditions are met:

• Third-party authentication is disabled in your subscription plan
• The "Disables Default Login Method" setting is on; System Settings > Security Menu

When this feature is enabled, a new section is visible in the User Settings menu called "Security Questions". Users may fill out this form to be able to recover their passwords.
 

Full List of Requirements

• A User must have an email address set for this feature to be practical. Users can fill out challenge questions regardless.
• A User must select and answer three unique questions with unique answers.
• Each answer must be at least five characters long.
• A link is available on the main login screen to guide the User to start the recovery process.
   

Password Recovery Process

• A User must be logged out of the system and click on the "Recover Password" link available under the usual "Login" button.
• The User needs to provide a username or email. An email is sent to the User if an email id is found in the system.
• Fixably will neither confirm nor deny whether a User exists in the system to the User attempting to start this process.
• The User will get an email with a link and is prompted to fill out a form. This link is only valid for 15 minutes. If the User fails to complete the process at this time, they must restart the process.
• If the User answers the challenge questions, a temporary password is sent by email. The User is also prompted to change the password when logging in.