Changes coming soon.
Security Improvements
New Password Policy Options
The platform has to date enforced a simple 6 character minimum length password, with a focus on making it easy for users to get started with our service. We’re adding a Password Policy drop-down to the Organisation Setup page which gives you more control over user password requirements. Aside from our default Basic policy, there will be two further options based on current best practice recommendations:
- NIST SP 800-63
A phrase-based policy based on the latest recommendations of NIST, which encourages human-friendly passwords that are still hard to crack. - OWASP 2017
A strict policy which favours complex passwords that are hard to crack but also harder for people to remember.
Both of these new policy options will add stronger password security requirements for your user accounts, so consider what is best for you.
For now, our platform will continue to set our Basic 6 character minimum policy as the default on new company accounts, but you can change this at any time. When you change the Password Policy, this will be applied to existing users when they next change their passwords.
Maximum Password Attempts Lockout
We’re adding a temporary lockout feature to user accounts which will be applied when an incorrect password is attempted more than 5 times in a row. This is based on NIST recommendations and provides better security against brute force password attacks. For now, this will apply to our web platform, but we’ll be extending this behaviour to app logins within the next few months.
Validation of Passwords Against 10,000 Most Common
We’ve loaded up the 10,000 most common passwords – as found by NIST linked security researchers – and will be blocking users from setting/updating their passwords to be any of these. This enforces NIST and OWASP guidance on preventing users from having easily crackable passwords.
Regenerable Integration API Keys
When working with our API there has been only one secret Key value per company account, and this Key value was fixed at the date of account creation. We’re adding a second Key which works just the same as the existing one, thus allowing you to rotate between using Key 1 and 2 in your integrations. This also unlocks the ability to regenerate an unused Key at any time, thus enabling you to enact greater security procedures (i.e. key rotation/regeneration) when using our API.
New Personal Data Options
We wanted to make it easier for you to export data out of our platform while still being able to meet obligations you may have around personal data. Basic user account information like name and email is also considered to be personal data by default.
For other data that you control, we’re adding a new “Is Personal Data” checkbox into key areas of the platform including Forms, Data Sources and Connectors.
This new checkbox allows you to indicate that a field or column may contain personal/sensitive data. In of itself, this option does not add any further security or protection, but it enables the platform to offer anonymisation of those data values when exporting.
You’ll notice this through new “Anonymise Personal Data” options that will appear on most system exports and Form Connectors when the presence of personal data has been indicated.
For API users, we adding a new set of “Anonymise” Keys. These work the same as our existing Full Access keys, with the difference being that any responses to requests authenticated on Anonymise keys will result in personal data values being converted to non-human readable formats.