Skip to main content

General security policy

The Contactlab platform allows users to create reliable and secure passwords and to store and use them correctly. Below are the main policies adopted.

Password expiration
Passwords can be used for a maximum of 60 days, after which they must be changed.
Starting 20 days before expiration, periodic notifications are displayed to remind users to update the password.
A password change notification is also displayed after more than 30 days without accessing the platform.
If the password is not changed within 30 days after expiration, access is suspended. In this case, the account can only be reactivated by Customer Support or by an administrator belonging to the same company.

Password length
Passwords must have:

  • a minimum length of 12 characters;
  • a maximum length of 72 bytes in UTF-8.

Password composition
Passwords:

  • must contain at least:
    • one uppercase letter;
    • one lowercase letter;
    • one number;
    • one special character;
  • must not begin or end with a space;
  • must not contain trivial patterns (for example 1234, qwerty, etc.);
  • must not contain more than three consecutive identical characters (for example 1111, aaaa, %%%%);
  • must not contain the username or email address;
  • must not contain emojis.

Password history
All password change events are recorded.
This makes it easier to monitor password changes and identify potential security issues.

Password protection
Passwords stored in the database are protected using secure hashing algorithms.

Password-related events logging
All password-related activities, such as failed login attempts, password recovery requests, and password changes, are recorded and can be reviewed in the Profile > Activity History section.

Wrong Username and Password
Refer to the next chapter for more details.

Password recovery
If a password is forgotten, a reset link can be requested through the email address associated with the Contactlab platform account.
The reset link opens a dedicated password recovery page where a new password can be set.
The reset link expires within 24 hours.

If access is detected from a different country or from an unusual location, an additional verification step is required using either a PIN or an OTP code:

  • the PIN that was previously sent by email;
  • the OTP (One-Time Password) is generated in real time and sent by SMS to a previously verified mobile number.

Important notes

  • If the PIN is entered incorrectly 5 consecutive times, the account is locked.
    If attempts stop after the fourth failed attempt and at least 30 minutes pass, the counter is reset and another 5 attempts are allowed. A global limit of 15 failed attempts still applies. Once exceeded, the account is locked.
  • If the OTP is entered incorrectly 50 times, the account is locked.
  • Once locked, the account can only be reactivated by Customer Support.

The following conditions apply to OTP codes sent via SMS:

  • a maximum of one OTP per minute can be requested;
  • only the last three generated OTPs remain valid.