This feature is available on the Enterprise plan.
Secure password configuration allows you to define custom password policies for all users of the team. With this feature you can be sure that all members of the team are utilizing strong passwords and change them on a regular basis.
To get started with this feature, you must be a team owner, biller, or an admin.
Click on the avatar in the bottom left corner and choose Team settings:
Proceed to the Advanced security tab and tick the Enable Secure password configuration option:
Now you'll need to define your password policy.
Defining password policy
After enabling the secure password configuration, you're going to see the following options:
User password expires in — how often users will be prompted to change their passwords. Available values:
— 30 days
— 60 days
— 90 days
— 180 days
When password expires, user will be prompted to change his/her password upon the next login.
Remember password history — when this option is enabled, Lokalise will remember last passwords users have set and won't allow to re-use the same passwords. Available values range from 1 to 10 remembered passwords.
Minimum password length (from 6 to 255 characters and not less than currently on the system level) — the minimum password length. Please note that on the system level Lokalise enforces two requirements:
— All passwords must be at least 6 characters long but no longer than 255 characters
— Passwords cannot be the same as emails
Password complexity. Must include — choose which characters the password must include. Available values (can be combination of any):
— Uppercase letters
— Lowercase letters
— Special characters
Secure password configuration enforced for the users
After you have defined a password policy, it will be enforced for all users of the team. If a user's password does not meet the new requirements, that user will not be able to enter the corresponding team. Upon logging in, s/he will see the following screen:
After clicking the Change password button, user will be brought to his/her personal profile and will be asked to change the currently set password. All password requirements according to the defined policy will be summed up in the top of the dialog box:
All users will also receive notification emails with a "change password" link:
Admin who changes secure password configuration settings will be enforced to change the password on the next login. Otherwise, they will see a message prompting to change the password:
After changing the password to a proper one, the user will be able to continue working within the team.
If a new user joins the team with the secure password configuration enabled, s/he will also be prompted to set the password according to the defined policies:
Edge cases and more complex scenarios
A user can be a member of multiple teams. Some teams may enforce secure passwords whereas other teams may have this feature disabled. If the user's password does not meet the enforced requirements, s/he will be able to work only within the teams that do not require strong passwords. To enter other teams, this user must change his/her password.
If a user is a member of two teams with different policies configured, these policies will be summed up and the user will have to comply with the maximum in order to work in both teams. For example, suppose John is a member of two teams with the following policies:
— Team A: password must include characters, numbers and contain 10 letters
— Team B: password must include characters, special symbols and contain 8 letters
If John's password contains characters, special symbols, and its length is 9 characters, John will be able to work within Team B but not within Team A. However, if his password contains characters, special symbols, numbers, and its length is 11 characters, John can work in both teams.
If you add a newly registered user to your team with the secure password configuration enabled and this user has a very weak password (which does not meet the requirements), this user will not be enforced to change his/her password. This is due to the fact that according to the security standards, our system does not know the password of the user. Therefore, we cannot "understand" whether the existing password of a newly joined user is "better" or "worse" than the minimal policy requirements. However, if you disable and then enable secure passwords feature, users will be enforced to change their passwords.
— This limitation applies only to already registered users that you invite to the team. This, however, does not apply to new users that are not yet created in our system.
— Therefore, our recommendation is to invite new users who do not have a Lokalise account yet. Alternative recommendation is to enable the setting to rotate the passwords inside a team (Remember password history), so that passwords of all affected users are updated on the next rotation.
If you move a project from a team without secure passwords feature enabled to a team with password policy in place, all contributors of this project will be enforced to change their passwords (if their current passwords do not meet the requirements). This is because moving the project between teams also means moving the project contributors.