Password Policy

December 7, 2022


Standard Password Requirements

These requirements are enforced on all accounts, and are not configurable.

  1. A password must have a minimum length of 8 characters.
  2. A password must contain at least one small letter, one capital letter, and one digit. (In other words, all three must be present.)

User Lockout

After 5 incorrect login attempts, the user will be locked out of Erply for 10 minutes. 

(An administrator can end the lockout from the Settings > Users module in back office.)

Password Reset

A user can reset their own password if:

  1. Their username is an email address.
  2. Or, if there is an email address on their employee form.

When they request a password reset, a one-time link will be emailed to that address.

Account administrators can be notified about password resets. Depending on which system handles the password reset, the notification either:

  1. Gets emailed automatically to the general email address on the company card,
  2. or the recipients can be configured in back office, Settings > Configuration Admin > Login & Security Settings.

Optional Requirements

The following settings are available, and are configurable in back office, Settings > All Settings > Account Security Settings:

  1. A higher minimum length for administrators' passwords.
  2. A requirement that an administrator's password must contain at least one special character.
  3. Password history: users cannot reuse their previous 1...10 passwords.
  4. Mandatory password changes (password expiry).

See the instructions for setting up mandatory password changes.

Two-Step Authentication

Instructions for setting up two-step authentication are available here.