Password Security Updates: FAQ

With the March release, we are changing one key thing: your member's passwords will no longer be visible as plain text. That may seem simple, but we know that your Member Only access is vital to your organization, and this one change may affect a number of your existing processes. Below, we've tried to answer all of your questions on what's changing, what's not, and why.

Q: Why are plain text passwords bad?

A: While your Member Portal may not exactly be a fortress of classified bank account numbers, it does contain your member's personal contact information and online bill pay options, which are things we need to keep secure. Protecting against password hacking is not something we can easily do when the password entered into a login portal is compared to a plain text value in a database to determine if that member is allowed to log in. So instead, moving forward we'll do something called "salting and hashing" passwords as they are created. This is the widely accepted standard for creating credentials on any website on the internet, and it's vitally important that we meet those standards for your members' protection.

Q: Will my members need to reset their password after this release?

A: Nope, all previously existing passwords have gone through the salt and hash (see above) and are stored in our central authentication database. That means they can log in with the password they've always used. If any of your members do experience an issue logging in, it may be because the email and/or username they're using does not match one they've used previously, and resetting their username and password for them will eliminate the issue (see below).

Q: I'm talking to a member on the phone who needs to know their password. How can I give it to them?

A: Well, our recommended best practice is to let the member set the password themselves. If the member (or related profile) has an email address listed, you can simply click "Send Password Reset Email," and inform your member that they should be receiving an email momentarily that will allow them to reset the password themselves. However, if they prefer for you to set it, you can enter a value into the Password field, click Save, and inform the member of the password you just entered. In this case you do "know" their password - but we're assuming that you're not a malicious hacker, and you already know your member's contact information, so while it's not the  best practice it's certainly not going to compromise your database security the way a plain text password would. 

Q: I entered a new password for my member but the field is still blank, did it save?

A: Yes, the password is salted and hashed (see above), and stored in our central user database. The database textbox field you see in the member profile is used just as a way to create that password, but you cannot see/read the value once it is saved. Remember that users can create their own password as long as they have a valid email address and are a member (or related to a member if applicable), so they will be able to set their own password whether one has previously been created or not.

Q: My member is having trouble logging in to our Member Portal. How can I fix this for them?

A: The most straight-forward way to do this is to open their profile in WebLink, go to the Web tab/Portal tab, and save a new username and password for them. If you don't already have an email for the profile, enter that too - having a valid email in their profile will give them an easy way to always reset their own password. 

Q: I've been sending my members their username and password via email in the Mass Communicator. How will that work now?

A: The [[PORTALLOGINLINK]] Special Field in the Mass Communicator will still do the job - but it will no longer display the plain text password in the body of the email. Instead, it will display the profile's Username, and a "Set Password" link of the profile you sent the email to. Click here for more details on what that Special Field looks like (step 5). Sending this link certainly doesn't mean members will HAVE to reset their password, but it gives them a quick and easy way to do so if they've forgotten, or have never logged in before. 

Q: I send links directly to the Online Bill Pay page, etc. using the Mass Communicator Special Fields so that my members don't have to enter their password. Will that still work?

A: Yup. Nothing about the Open Invoices Link, Profile Update Link, or any other direct Special Field hyperlinks are changing other than the Portal Login Credentials special field. That method has always used a different type of encryption that bypasses passwords entirely, and is not affected by this release.

Q: How do I let my new members know how to access the Member Portal?

A: This is an area where the updated [[PORTALLOGINLINK]] special field comes in especially handy. Once you've created the new member and all of their related profiles, you can send them a link to create their own password. As long as each profile has an email address, when you send an email through the Mass Communicator that contains the [[PORTALLOGINLINK]] special field, the new member will see their email address displayed as their username, and a link to set their own password. As soon as they've set that password, they can immediately access your Member Portal, without any intervention by you to manually set up a username or password for them. New portal credential creation will be completely hands-off for new members using this method! Of course, if you prefer to manually enter their username and password as something specific (or they don't have an email), remember that you can still do that. You'll just need to tell them what those credentials are using a method other than the Mass Communicator. Click here for a specific article on best practices for new member credentials. 

Q: I have two profiles with the same email address. How can they automatically reset their password?

A: When faced with two profiles that have the same email address (and are both members/related to members), the system will simply pick the first profile and update that one with the automated Password Reset link. There is no way to force the system to sometimes pick one profile, and sometimes pick a different profile. Our recommended best practice is to have unique email addresses on all profiles, but if that's not possible for any reason, you can still manually set a unique username/password combination on the Web/Portal tab of the profile that will allow the member to differentiate between the two when logging in. They'll just need to contact you if they need to make password changes, instead of making those automatically via email.

Q: I have members who have multiple individuals that need to log in as the Organization profile to view/pay bills in the Member Portal. How do I give them the Organization password if I can't see it?

A: You have a few options here. First, you can use automated links in the Mass Communicator to link Main Contacts and/or Billing Contacts to organizational portal pages directly, without requiring login. Second, you can go to the organization profile Web/Portal tab, reset the password, and inform the individual of the credentials that they can use. Of course, this will change the password if anyone else at that organization was also using the shared credential, so it's not ideal. A third option is to have the individual log in with their own, individual credentials, click to the Update Profile Information tab, and click View Invoices on the related member profile listed in their related profiles. The individual must be set as an "Editor" and you must have the View Invoices link enabled in your Member Portal, but this is the preferred method for allowing individuals to view/edit organization information. Click here for more info on configuring your system to allow this workflow. 

Q: We don't user the standard WebLink login page, we contract with a third party who built a custom one for us. Will that still work?

A: That depends. If you have a single-sign-on (SSO) to a third-party site using our REST API, then yes, that will absolutely continue to work. However, if you are using another method to validate passwords by looking at the plain-text field in the member profile, that will no longer be available. If you are redirecting members to a WebLink page, we strongly recommending using the standard portal page that we provide to you (/portal/portallogin.aspx). If you are redirecting members to a non-WebLink page after login, you need to have your third party upgrade to use our current authorization methods, outlined here: http://developers.weblinkconnect.com/api-v1/api-authorization/

 

If you have further questions, please feel free to contact us via Chat or by submitting a ticket (above) and we would be happy to help! You can also submit feedback to us on any of these changes by clicking Submit an Enhancement Idea at the top of the page. 

Comments

0 comments
Want some training on WebLink Connect? Sign up today for one of our upcoming online training classes.