Password Policy

February 7, 2024


Standard Password Requirements

These requirements are enforced on all accounts:

  1. A password must have a minimum length of 8 characters.
  2. A password must contain at least one small letter, one capital letter, and one digit. (In other words, all three must be present.)

User Lockout

After 5 incorrect login attempts, the user will be locked out of Erply for 10 minutes. 

(An administrator can end the lockout from the Settings > Users module in back office.)

Password Reset

A user can reset their own password if:

  1. Their username is an email address.
  2. Or, if there is an email address on their employee form.

When they request a password reset, a one-time link will be emailed to that address.

Account administrators can be notified about password resets. Depending on which system handles the password reset, the notification either:

  1. Gets emailed automatically to the general email address on the company card,
  2. or the recipients can be configured in back office, Settings > Configuration Admin > Login & Security Settings.

Two-Step Authentication

Instructions for setting up two-step authentication are available here.

Optional Requirements

The following settings are available, and are configurable in back office, Settings > All Settings > Account Security Settings:

  1. A higher minimum length for administrators' passwords.
  2. A requirement that an administrator's password must contain at least one special character.
  3. Password history: users cannot reuse their previous 1...10 passwords.
  4. Mandatory password changes (password expiry).

See the instructions for setting up mandatory password changes.

Adjusting the minimum password length

The minimum required password length (8 characters) can optionally be increased. 

There is currently no back office screen for this setting, but it can be adjusted with Account Admin API call PATCH /v1/configuration:

  • Setting name: minimum_password_length
  • Value: integer

In contrast to all the options listed in the previous section, the minimum password length is enforced on every login—not only when creating a new user account or updating a password.

  • In login.erply.com, a user who logs in with a too short password will be asked to choose a new, longer one before they can continue to back office or POS.
  • Erply back office and Brazil POS will show an error screen instead, asking the user to complete the login at login.erply.com.