Password Management

Follow

Comments

36 comments

  • Avatar
    Lynnell Brunswig

    Thanks for this.  Would you please address how new members initially receive their login/password information?

  • Avatar
    Merilyn Oda

    My question is also how will new members receive their login info?  

    And we don't get to see what we're typing if we change the password for the member?  Even if it's a generic word, seeing what's being typed would be helpful.

  • Avatar
    Chris Byess

    Hi Lynnell and Meriyn,

    For the username, when a member takes a form, a username is still automatically generated. This can be merged into the confirmation email that is sent out once the user completes a form, so they will still be able to see their username inside of an email. For the password, we suggest you now place 'password' as a field linked to the attribute within your forms. This will allow the member to chose a password for themselves.

    As for the the hiding of the password while it is being typed, this was a part of the function that our team deemed necessary to keep the password hidden from prying eyes. Many of our organizations need to access their site at live events, so we want to ensure that security is maintained in these situations.

  • Avatar
    Joan Hamasu

    Just so I'm clear, here are my questions:

    1.  When a members fill out an application we have designated their email addresses be used as their usernames.  This will still be allowed, correct?  

    2. We have asked that passwords be automatically generated as random numbers and letters.  Will this still happen?

    3.  When a confirmation is sent in response to a form being filled out or when we sent out our Welcome email to new members, it contains ##password##.  This will allow users to receive their passwords even if we can't see it, correct?

    4.  When members call us we will not be able to email them their password because we will not be able to see it?

    Thanks

  • Avatar
    Gwen Pearson

    The question about ##password## is critical -- in two days we will be emailing our members for renewal using that feature.

    Will they get their actual password, or will they get something else? 

    I'd really rather not have a hundred confused emails on Monday.

     

  • Avatar
    Kinsey Mahan

    @Joan - I've answered your questions in bold below.

    1.  When a members fill out an application we have designated their email addresses be used as their usernames.  This will still be allowed, correct? Correct. Usernames will still be generated as the user's email address.

    2. We have asked that passwords be automatically generated as random numbers and letters.  Will this still happen? On application forms, new passwords will still be randomly generated. We recommend dropping a Password attribute onto your application forms, which will allow new applicants to choose their passwords.

    3.  When a confirmation is sent in response to a form being filled out or when we sent out our Welcome email to new members, it contains ##password##.  This will allow users to receive their passwords even if we can't see it, correct? For privacy purposes, MemberClicks will no longer send out passwords via email. Instead, the Forgot Password link should now be included on all application/renewal/expiration warning/event confirmation pages in place of the ##password## merge, so if users want to reset their password they can simply click their link and update their password through the email they receive. To include the Forgot Password link, edit the message and click Site Links. In the modal window that pops up, click System Pages > choose Forgot Password from the dropdown > click Insert Link. I've updated the article above to reflect those steps under FAQs.

    4.  When members call us we will not be able to email them their password because we will not be able to see it? Correct. In place of emailing members their password, we recommend emailing them the Forgot Password link referenced above so that they can easily reset their password.

    @Gwen - The Forgot Password link should now be included on all application/renewal/expiration warning/event confirmation pages in place of the ##password## merge, so if users want to reset their password they can simply click the Forgot Password link and update their password through the email they receive. To include the Forgot Password link, edit the message and click Site Links. In the modal window that pops up, click System Pages > choose Forgot Password from the dropdown > click Insert Link. I've updated the article above to reflect those steps under FAQs.

  • Avatar
    Blake Jeffery

    Terrible change.  My 260 members rarely remember their passwords and rely on it being merged into email notices.  We also send the information to new members using the merge tool.  I'm assuming I missed the discussion about whether this was a good thing for everyone using the system.

     

  • Avatar
    Adrienne Bryant

    This is actually a great and much anticipated change. Can you imagine one of your members suing you because their password was sent unsecured via email and their email or your email system were hacked causing all sorts of problems? A lot of people STILL use the same password for everything (including bank accounts). While it may not be the fault of the organization, all it takes is ONE person to say it is and you get the rest. Now I may be taking it to the extremes, but better safe than sorry. Plus, every IT person will tell you that you should not send passwords via email.

    This honestly will be all in how you present the change to them. I'm assuming this hasn't been rolled out to everyone yet, so work with the MC team on the roll-out. Now that you know what is going to happen, let your members know and remind them this is for their safety. Also, a good time to remind them that they may want to change up their passwords (and even offer suggestions/links to creating a strong and memorable password). It's all about your attitude and the message you send. If you are frustrated with change then you send the frustration on to your members and then they are frustrated as well. Just a thought.

     

    Adrienne

  • Avatar
    Katy Kranze

    We are a state association and our national association handles a new members application, meaning I manually add new members. I typically assign them a generic password with instructions on how to reset the password. When I create a new profile, will the new system assign a random password to a new member? And if so, how can this password be communicated to the new member?

  • Avatar
    Joy Troyer

    When will this change take effect?  We need time to make the changes and this is a very busy time for us.

  • Avatar
    Gail McMahon

    Kinsey, the Forgot Password link is not listed in my System Pages available for insert.

     

  • Avatar
    Gail McMahon

    Another question:

    I often have to enter people by hand, due to the fact that our membership is connected to our college fair registrations. How will the password be handled in that respect?

  • Avatar
    Chris Byess

    Hello everyone!

    In the order in which you submitted your questions, I am going to answer them below.

    Katy,

    If you are adding members through a member application form, then by having a 'password' field on the form, you will be able to delete the randomly generated password that is assigned to the field and enter a password of your choosing. If you do not have a 'password' field, then the password will be randomly generated. If you are adding a member manually by building their profile on the back end, you will still be able to choose their password. As for how a password can be communicated to a member, by referring them to the 'forgot your password' link that is explained inside the article, they will be able to reset it and know exactly what it is.

    Joy,

    This change will take effect on January 19th.

    Gail,

    If you are creating someone's profile for them, then you will still be able to enter in their password, whether on a form or in the back end. While you will no longer be able to look at someone's profile and pull their password to log in as them, if you need to take the form on behalf of an already existing user, you can still do so under the 'View Transactions' tab within their profile on the back end.

    As for not seeing the 'Forgot Password' link under the 'System Pages,' that will appear once the change has been rolled out.

     

  • Avatar
    Katy Kranze

    Chris, We do add all new members manually by building their profile on the back end. Honestly, the suggestion to refer all new members to "forgot your password" is embarrassing and unprofessional and I would hate for that to be our new members first impression. If I were a new member who received my username and a link to "forgot your password" I would be very confused thinking "I did not forget my password, I never even had a password!"

    I suggest that MemberClicks create a "create your password" link within System Pages for the MemberClicks users who create member profiles on the back end. I love MemberClicks, but I hope you can make a few tweaks before the new system is rolled out to cater to MemberClicks users who do not use forms to create profiles. 

    Thank you!

  • Avatar
    Chris Byess

    Hi Katy,

    To further clarify, as shown in the article above, you can create a link to the password that does not say 'forgot your password,' but instead says whatever phrase you wish. You will then be able to place this link inside an email, an article, or attach it to a menu item using the site links function under whatever name you feel appropriate. I used the term 'forgot your password' only as it is the default term. For further explanation on this process, I would suggest taking a look at the 'FAQs' section of the article above, where the creation of this link is detailed.

    If you have any further questions or concerns on this topic, feel free to write us a ticket at help@memberclicks.com, and we'll be happy to discuss this further.

  • Avatar
    Tarnya Cox

    HI, I've implemented all the recommended changes, including inserting a password field on the form.  I've just had my first new member application since implementing those changes and I've noticed that in the profile view there is the randomly generated password and in the form transaction view, there is the password that the new member selected for themselves.  Which password is going to work on the profile?  Should I update the profile view password to that entered by the user?  I assume that this will happen automatically after Jan 19 and that I have just got in early...?  cheers :)

  • Avatar
    Christina Dragonetti

    Question: When someone unsubscribes from mass emails, then wants to be added back, in the past I've logged in as that person and changed the setting in their profile. I have tried walking someone through the process, but frankly the setting is buried so deeply it was very confusing and difficult for the member. Given that we can't login as a member anymore, how should I re-subscribe people to mass emails?

  • Avatar
    Duncan McCreery

    @Tarnya, we've got a ticket opened up for you so we can look at the specifics of that receipt and profile.

    @Christina, that's a really good point that didn't come up in our beta process.  We've got a change that's going to be in place before the rollout that will allow admins to change the subscription option from the admin view of the profile, under Contact Preferences.  That should make things easier for you all around.  Keep an eye out in our Announcements forum for when that change becomes live.

  • Avatar
    Christina Dragonetti

    Thanks Duncan!

  • Avatar
    Christina Dragonetti

    I think I'm confused on the timing here. I have 27 auto-renewal messages, plus 2 "welcome" messages, plus receipts for 5 forms that need to have this "forgot password" link added (to replace the merged ##password##), but I think - if I'm reading this correctly - that link won't be available until the 19th when the passwords are going to be hidden and non-mergeable. So I'm going to have dozens of messages and receipts going out on the 19th with nothing listed in the ##password## field until I can get through updating all of those instances where we currently have ##password##? Is there any way to make that link available now so I can start working on this?

  • Avatar
    Christina Dragonetti

    I'd also like to know if Tamya's situation (quoted below) is specific to that form/user or if this is a problem I'll have if I add the "password" attribute to my forms now?

    "HI, I've implemented all the recommended changes, including inserting a password field on the form.  I've just had my first new member application since implementing those changes and I've noticed that in the profile view there is the randomly generated password and in the form transaction view, there is the password that the new member selected for themselves.  Which password is going to work on the profile?  Should I update the profile view password to that entered by the user?  I assume that this will happen automatically after Jan 19 and that I have just got in early...?"

     

  • Avatar
    Gail McMahon

    Ditto to everything Christina asked above!

     

  • Avatar
    Duncan McCreery

    Hi Christina and Gail, the links for the new password handling won't work until after the change has been made, so I wouldn't recommend updating beforehand.  But we can certainly let you know what they will be if you send us an email to help@memberclicks.com.  We'll send the URL specific to your site.  It might be best if we use that ticket to coordinate exactly when the change will be made with you and we can help with the transition one-on-one.

    Regarding Tarnya's comment, the issue was specific to that form.  You won't see an issue on your form(s) when you add the password attribute - it'll automatically update the profile similar to other attributes.

  • Avatar
    Joy Troyer

    1.  Will the confirmation PAGE still allow us to put the password on it?  This isn't the email, but the page at the end of the application process.

    2.  When I export a profile and select all the fields, will the password field be in the list of fields or will it be excluded (kind of like the "CC Security Code" field is no longer in the list of fields for receipts exports?  If the password field is in the exported file, will it have data in it or be blank?  If the password field is not in the exported files, will the order of the exported fields change or will it be the same, just missing that one field?

    3.  When we tried to add the link for "Forgot Password" into our email (following the directions in the nifty animated answer above), there was no entry for "Forgot Password" in our list of system links.  How do I get that into my list of links?

    Obviously, we need to know the answers to these things pretty quickly (since it goes into production on Monday).  Thanks.

  • Avatar
    Duncan McCreery

    Hi Joy, answers to your questions are below:

    1.  After these changes, password won't be available as a merge attribute anywhere, including the confirmation page.
    2.  I understand your group is doing some specific things with receipts so the order and number of columns is especially important.  We'll follow up in the ticket we already have open to make sure we're on the same page and that there isn't an unexpected disruption to your processes.
    3.  The link will only appear as an option after the rollout because it won't work until the update has been made to your site.  That said, we'll provide the URL for your site in the ticket we have and we can coordinate schedules there as well.  Keep an eye out for additional info specific to your group in the ticket you have open with us.

    More generally, the rollout begins next week, but it will take a few weeks to complete.  Unless you have made specific arrangements with us by emailing help@memberclicks.com, we will send an email 7-10 days before the specific date when your site will receive the update.

  • Avatar
    Brenda Adams-Weyant

    So what I am hearing is that we cannot update our forms and expiration messages until MC has updated our websites.  Once you update our websites, we should act immediately to make all these updates.  It is possible to suspend the sending of the renewal messages so that we can fix them without the risk of out-of-date messages being sent?   Is there anything we can do in the mean time - like remove #password# fields in forms and messages.  It would be very helpful if MC provided a generic transition process/timeline to help us understand the various steps in the process and when we need to act.  It would also be helpful to have a list of the potential places where the #password# merge field could be used, so we can make sure we've caught all instances.  There are a lot of nooks and crannies in the MC system, and if it has been a while since you've been to that page/setting, it easy to overlook it.  Knowing how to make the update is one thing, now help us prepare for it.

  • Avatar
    Duncan McCreery

    Hi Brenda,

    Thanks for the note, let me try and clarify.  You can update the forms to add the password attribute so applicants can set their own passwords today.  If you also want to add the link to reset the password in a contact center email or confirmation email, that will have to wait until after the update has been made to your site.  Although it's a good idea, it should be less of a need if users are setting their own passwords on the forms rather than being assigned a random one as in the past (assuming the password field is new to your forms, you may have had this in practice already).  The forgot password link on the login page of your site will automatically switch when the update is applied to your site.

    Part of the challenge with this transition is that every site is set up a bit differently and organizations have a wide-range of workflows. The information above is broadly applicable to all sites, but we do recommend emailing us so we can work together on a transition schedule specific for your group.

  • Avatar
    Joy Troyer

    In testing the "Forgot Password" function, I put in my own email address and asked for my password.  I got 6 sets of usernames and passwords.  However, only one of those is "valid" and "active."  The rest were test records now set to "invalid" or "inactive".  It is possible that this could also happen for a member.  We may have set a record to inactive and they may now re-join the society.  We would only want their active record to be used when sending their forgotten password.  Is there a way to set this function so that it doesn't send passwords of invalid or inactive records?

  • Avatar
    Duncan McCreery

    Hi Joy, you've hit on another significant problem with the pre-update to password handling: users with the same email address in duplicate accounts receive a very confusing email.  After the update, users with duplicate accounts will be instructed to contact the administrator when they request a password reset (since there isn't a way for us to know which account they were trying to receive the credentials for) which will prompt you to consolidate or update the records if you want.

  • Avatar
    Carrie Tate

    Hello, MemberClicks team! We just tried to update our expiration messages and noticed the "forgot password" system page is not listed as an option. Was this change implemented as planned yesterday? We would like to make the change to our messages and forms as soon as the changes have been implemented on your end so there's no confusion with our members. Please let us know when to expect the change. Thank you!

Please sign in to leave a comment.