Password control

Introduction

Password requirements

When setting a password for simple sign-in, the following rules apply:

  • A minimum length of 8 characters

  • At least 1 lowercase letter (a - z)

  • At least 1 uppercase letter (A - Z)

  • At least 1 number (0 - 9)

  • At least 1 special character (!, $, #, or %)

Password validation includes checks to determine if the password specified for registration or reset is compromised.

Checks are made using the haveibeenpwned.com service with the k-anonymity model, to determine if a password has been leaked. If a specified password is found to be compromised, it cannot be used and you will be prompted to try again.

Password expiry

Patchworks passwords do not expire.

Users who sign in via Patchworks simple sign-in can choose to reset their password any time, from the Patchworks sign-in page. Alternatively, users with a Client Admin role can trigger password resets for other users in their company profile.

Password storage

Patchworks passwords are stored in an encrypted AWS database.

Password control

Passwords can never be viewed or accessed by users, irrespective of their role.

Managing your own password

Any logged-in user can change their password by selecting the change password option associated with their avatar (in the top right-hand corner of the dashboard). For further information please see: Managing your own user account.

Managing passwords for other users

Users associated with an administrator or manager role can trigger a password reset for any users in their company profile, via the Patchworks dashboard. For more information please see our Triggering a password reset for another user page.

Password reset links are valid for 24 hours. After this, another password reset must be triggered so a new link is emailed.

Passwords are never set on behalf of other users.

Forgotten passwords

Users can reset their password via a forgot your password link - this link is always available at the bottom of the sign in to Patchworks page:

Selecting this option displays a reset password page, where the user can enter their email address and trigger a password reset email:

The password reset email includes a link for the user to follow and reset their password.

Password reset links are valid for 24 hours. After this, another password reset must be triggered so a new link is emailed.

Google sign-in passwords

If a user registers their Patchworks account with Google sign-In, they won’t be aware of a ‘Patchworks password’ because they always sign in with Google credentials.

However, if a password reset is triggered for a Google sign-In user, they still receive a password reset email, which can be used to set a Patchworks password.

This does not affect the person’s Google sign-in, it just means they can choose to log in via Google or enter their email address and Patchworks password (simple sign-in).

External access

We have already noted that OAuth2 is used to authorise access to Patchworks via Google sign-in. In this scenario, Patchworks requests an access token from Google; once a token is received, it is used to request the required user information for the sign-in process.

However, OAuth2 is also used for clients who wish to access Patchworks services via a Patchworks API endpoint. In this scenario, Patchworks provides an access token to clients, which is used to authenticate API requests.

For further information please see our API help pages.

Last updated

#1409: Release notes - 11.12.24

Change request updated