Password Security
Password requirements, rate limiting, and account security in Supascale.
Supascale implements robust password security measures to protect your administrative account from unauthorized access.
Password Requirements
When setting or changing your password, it must meet all of the following criteria:
| Requirement | Description |
|---|---|
| Minimum length | At least 12 characters |
| Uppercase letter | At least one uppercase letter (A-Z) |
| Lowercase letter | At least one lowercase letter (a-z) |
| Number | At least one digit (0-9) |
| Special character | At least one special character (!@#$%^&*()_+-=[]{};|,.<>/?) |
Examples
Valid passwords:
MySecure@Pass123Supascale#Admin2024!Str0ng_P@ssword!
Invalid passwords:
password123- No uppercase, no special characterSHORT!1a- Too short (less than 12 characters)NoSpecialChar123- No special character
Changing Your Password
- Go to Settings > Profile
- Click Change Password
- Enter your current password
- Enter and confirm your new password
- Click Save
Requirements:
- Current password must be correct
- New password must meet all requirements
- New password must be different from current
Rate Limiting
Supascale protects against brute-force attacks with rate limiting:
Limits
| Setting | Value |
|---|---|
| Maximum failed attempts | 5 |
| Initial lockout duration | 15 minutes |
| Attempt tracking window | 1 hour |
| Lockout escalation | Exponential backoff |
How It Works
- Failed login attempts are tracked per IP address
- After 5 failed attempts, the account is temporarily locked
- Lockout duration doubles with each subsequent lockout
- Successful login resets the counter
If You're Locked Out
- Wait for the lockout period to expire
- Try logging in again with the correct password
- If you've forgotten your password, contact your system administrator
Session Security
Session Duration
- Sessions are valid for 24 hours
- After 24 hours, you'll need to log in again
Session Management
- Sessions use secure, HTTP-only cookies
- JWT tokens are signed with a secret key
- Sessions are invalidated on logout
Best Practices
Creating Strong Passwords
- Use a password manager: Generate and store unique passwords
- Avoid personal information: Don't use names, birthdays, etc.
- Use passphrases: Combine random words with numbers and symbols
- Unique per service: Don't reuse passwords
Account Security
- Don't share credentials: Each admin should have their own account
- Log out when done: Especially on shared computers
- Monitor activity: Review login history regularly
- Update regularly: Change passwords periodically
Activity Logging
All authentication events are logged:
| Event | Description |
|---|---|
auth.login_success | Successful login |
auth.login_failed | Failed login attempt |
auth.login_blocked_rate_limit | Login blocked due to rate limiting |
auth.password_changed | Password was changed |
Viewing Login History
- Go to Settings > Activity
- Filter by authentication events
- Review login attempts and changes
Initial Setup Password
When first installing Supascale, set a strong password via environment variable:
ADMIN_PASSWORD=YourSecure@Password123
Important: Change this password immediately after first login.
Password Recovery
Supascale doesn't currently support self-service password recovery. If you've forgotten your password:
- Access the server directly
- Reset the password via environment variable
- Restart Supascale
- Log in with the new password
- Change the password through the UI
Security Recommendations
- Use unique passwords: Don't reuse your Supascale password elsewhere
- Enable HTTPS: Always access Supascale over HTTPS
- Limit network access: Restrict access to trusted IPs if possible
- Monitor logs: Watch for failed login attempts
- Keep updated: Install security updates promptly