Data security is vital to any modern business, with password management forming a key part of your data security policy. With the latest Eploy update, you can now manage passwords for your key stakeholders and help to further protect your data.

Whether it is hiring managers, candidates, vendors or core system users, the new password protection features can ensure that every aspect of your Eploy ecosystem can receive additional protection.

To manage password security settings go to AdminSecurity Settings on the Eploymenu. This is then broken down by user type, allowing you to manage each set of database users differently.


Note – This section of the system is controlled by your user permissions. If you do not have access, please contact your admin user. 

Password Policy

The settings are broken down by user type, so you can set different password requirements, depending on the level of data a user has access to. For example, vendors have very limited access to any personal information so they may not need as strict a policy as your core system users. However, many of the settings available will be applicable to all user types.


This first section controls the Password Policy settings and includes options for required length, strength and expiry.

  • Minimum Password Length - This is the minimum number of characters that are required for the password.

  • Use Password Strength – This allows you to manage the minimum requirements of the password; strong or very strong. A strong password would require at least three of the following characters, whilst a very strong password would require ALL of the following:
    • Uppercase (A,B,C etc.)
    • Lowercase (a, b, c etc.)
    • Numeric (1,2,3 etc.)
    • Special Character (£, $, @, %, etc.)

  • Enforce Password History – This setting stops users from re-using recently used passwords. When a password expires, the user will need to update it and avoid repeating any of their most recently used passwords. Entering 1 here will prevent users from reusing their current password whilst entering zero will allow candidates to the use the same password again. If you were to enter 3 here, this means the candidate cannot use the last 3 passwords they have used.

  • Maximum Password Age - This field can allow you to determine the period of time in days that a candidate can use their password before it needs to be changed. Entering zero here will mean that the password has no age/shelf-life & therefore will never need to be changed.


  • Allow Remember Username – This will allow the user to save their username within their browser, making logging into the portal easier. By unchecking this option, the user will need to enter their username each time they access the portal.

  • Allow Autocomplete – This will allow the user to save their username and password within their browser, making logging into the portal easier. By unchecking this option, you can stop the browser from saving the details for this user, they will need to manually enter the details each time they log in.

  • Allow Forgotten Password – This setting will allow the user to trigger an email to their designated email address in order to reset the password.

Lockout Policy

The second section deals with the Lockout Settings, which is where you can control what happens when invalid passwords are entered in to the portal.


  • Show CAPTCHA After How Many Invalid Attempts - CAPTCHA is a computer program that protects websites against robots by generating & grading tests that humans can pass but an automated system cannot.


You can set how many invalid attempts a user can have when trying to log on. As an example, if you were to type 3 in this field, the user will have 3 attempts before they are shown a CAPTCHA test.

  • Reset Invalid Attempt Counter Period (Minutes) - You can also set up the amount of time in minutes that the CAPTCHA program is in place for after the user has exceeded their number of invalid logon attempts.

The default setting for this field is 15, which would mean that once the user has exceeded their number of login attempts (defined in the Show CAPTCHA After How Many Invalid Attempts setting,) they will have to wait 15 minutes before when they can attempt to login to the system & NOT get the CAPTCHA grading test.

Third Party Authentication

This section controls the social media access settings on the Candidate Portal. If active, it allows candidates to login to their candidate profile using their social media credentials. This is available with Facebook, Google and LinkedIn.

When these details are used to login to the portal, the candidate’s email, personal details and passwords are generated from their social media profile. Their profile picture from the social media account will also be taken from the profile to be used within the candidate record.

Note – if you would prefer that images where not taken from the social media account, you can untick the option for the profile picture specifically. This will allow candidates to log in using the social registration features, but will not take the picture.


These options can then be accessed on the registration & login pages, by clicking on the relevant icons.


When you have configured your Password Policy settings, click Save to confirm. Any changes will apply immediately to your portal and affect the selected user type.

Standard Users, Hiring Managers & Vendors Password Security Settings

As the core user, you can also set the Password Security Settings for other standard users, hiring managers & vendors. However, there are some additional settings that apply to users of the system, depending on which portal they access.

Third Party Authentication for Hiring Managers / Vendors

If these settings are active for hiring managers or vendors, they will be able to log into the portal as normal, then associate their third party accounts within the settings menu. Once they have done this, the next time they login to the portal, they will be able use any of the available third party options. This is particularly useful for single sign on with G-Suite Accounts.

Permitted IP Access

In this section, you can determine the IP addresses your users use to access the system.

An IP address (Internet Protocol address) is an identifier assigned to each computer & other device (e.g. mobile device, tablet, etc.) connected to a TCP/IP network that is used to find & identify the node in communications with other nodes on the network.


To add an IP address to this list, click add then enter the required IP address. Clicking Save will then mean that those user types will only be able to access their portal from the designated IP. If you want to ensure your team aren’t accessing the database away from the office, then this is a good way to put that restriction in place.

Leaving this section blank will mean that the user type will be able to access the system from anywhere or any device.

Note – whilst these are global settings and will apply to all users of that type, you can also update this on an individual user basis. To do this, click into each user profile (within Admin – Users) and update the Permitted IP access settings.

Password Merge Fields

As part of the security upgrade, any merge fields for passwords will no longer be available when sending emails to hiring managers or vendors. This is to help protect the integrity of the password and ensure that no one has access to the portal when they shouldn’t.

As an alternative to emailing passwords, any hiring managers or vendors should be prompted to use the forgotten password link where they can reset their passwords.

Powered by Zendesk