Skip to content

Account Security: Login and Password Management

This page covers how to manage login attempts, password requirements, and user credentials in Evergiving, ensuring compliance with security best practices and PCI DSS requirements.

Logins

How Many Login Attempts Are Allowed before a User's account is Locked?

  • Users will be locked out of Evergiving for 30 minutes after 6 consecutive incorrect password attempts.
  • A warning is issued after the 5th incorrect attempt.
  • The system does not reset the incorrect attempt count unless a correct login occurs, meaning spread-out incorrect attempts will still lead to a lockout on the 6th failed attempt.
  • Once locked, no actions, such as updating passwords, can unlock the account until the 30-minute lockout period has expired.

Tip: On the 5th attempt, it's best to use the password reset option to avoid being locked out.

Why is My account Locked?

A common reason for account lockout is multiple users sharing the same login credentials. This is not only a security risk but also a violation of PCI requirements. Each user should have their own unique login to ensure:

  • Accountability for actions taken in the system
  • Clear audit trails in the logs
  • Prevention of system-wide lockouts due to shared credentials

To solve this, create separate user accounts for each person who needs access to the system. Admins can do this via the Users page in the Admin panel of Evergiving.

Passwords

Individual Accounts

Each user must have a unique login for security, auditability, and compliance reasons. The main reasons for using individual accounts include:

  • PCI DSS compliance.
  • Best practice for data security.
  • Avoiding system-wide lockouts when a shared login fails.
  • Maintaining clear audit trails of changes made to pledges and accounts.

Password Requirements

Passwords must meet the following criteria:

  1. Users with access to donor data (Pledges Tab):

    • Minimum of 12 characters.
    • Must include both numeric and alphabetic characters.
    • Changed every 90 days.
    • Cannot reuse the previous 4 passwords.

    • All other users:

    • Minimum of 6 characters.

Additional Recommendations for User Account Management

To enhance account security, we recommend incorporating the following practices, particularly for organizations under PCI compliance:

  1. Assign unique logins to all users (no sharing).
  2. Implement policies for adding, deleting, and modifying user accounts.
  3. Immediately revoke access for terminated users.
  4. If you believe your password has been compromised, reset it immediately.