As part of the continuous effort to ensure that Forsta Plus complies with the highest standards of security, the following password policy applies, for end users (CAPI interviewers, report viewers, Analysts and Designers) and Authoring users (Express, Professional and Translator).

General

System messages are provided (with translations to the usual common languages) for these settings. The appropriate error messages will be displayed when users choose passwords that do not comply with the site settings.

The Authoring (Express and Professional), Reportal and Panel Portal modules all have ‘Forgotten Password’ functionality. In the event a user or end user forgets his/her password, clicking the Forgot Password button requests an email with a link that opens a page where they can reset the password. Note that the reset password link is time-limited and only valid for one hour. If the user does not reset their password within that time then they must re-click the button to be sent a new link. Refer to the Forsta Plus Professional Authoring documentation for further details.

All passwords are hashed and not transmitted in plain text, including those for panelists in Professional, Standard and Basic Panel. Consequently, passwords will not be available in plain text for any system users. Instead, users will be sent an activation link to open a page where they can choose their own password.

Panelists

The changes to the password policy for panelists are optional, and users must actively enable the restrictions for Basic and Professional Panels (go to Panel Settings Overview for more information). Users may then define custom settings for a panel. Panelist passwords will be hashed, meaning that passwords will not be available in plain text. When panelists use the “Forgot password” feature, they will be sent an activation link which will open a page where they can reset their password.

Warning
The default Panelist password settings pre-set by Forsta provide minimum security. Remember to enable suitable restrictions to ensure a satisfactory level of security for your panelists.

On-Demand users

The passwords for all areas of Forsta Plus must satisfy the same minimum requirements for complexity. Wherever passwords can be changed or set within the application, they will be validated against these rules before the change is accepted.

• Password history - the new password must be different from the last 12 passwords.
• Minimum age - the user will have to wait 24 hours after changing the password before being allowed to change it again.
• Maximum number of login attempts - after 5 invalid login attempts the account will be locked. The user will not be allowed to login again until the account is reactivated by the system administrator in the single panelist editor page (go to Single Panelist Editor for more information).
• Uppercase characters - the password must contain at least 1 uppercase letter.
• Non-alpha characters - the password must contain at least 1 character that is not a letter (a..z, A..Z).
• Password length - the password must contain at least 8 characters.
• Password expiry days - the password will expire after 60 days. (This will not apply for login to the CAPI console.)

For Authoring users, it is possible to enforce even stricter requirements through certain company settings. Contact Forsta support if you wish to implement a stricter policy.

On-Premise users

The following configurable settings will be enforced for all On-Premise users. If the Company Administrator selects to use the settings, users will have to comply with these settings when changing their password:

• Password history - the new password must be different from the last X passwords.
• Minimum age - the user will have to wait X hours after changing the password before being allowed to change it again.
• Maximum number of login attempts - after X invalid login attempts the account will be locked. The user will not be allowed to login again until the account is reactivated by the system administrator in the single panelist editor page (go to Single Panelist Editor for more information).
• Non-alpha-numeric characters - a required minimum number of characters that are not numbers (0..9) or letters (a..z, A..Z).
• Uppercase characters - a required minimum number of uppercase letters.
• Non-alpha characters - a required minimum number of characters that are not letters (a..z, A..Z).
• Password length - a required minimum number of characters in the password.
• Password expiry days - the password will expire after a number of days. (This will not apply for login to the CAPI console.)
• Password strength - in addition to a combination of the above settings, a regular expression may be used to enforce an even stricter policy.

For Authoring users, it is possible to enforce even stricter requirements through certain company settings. The server documentation that will be provided with the release will contain more detail.