Configure password policy and session settings
This guide shows you how to set password requirements, account lockout rules, and session timeouts for your organization’s admins.
Who can do this: Admins who have permission to configure security settings. Org owners can do this by default.
Before you start
Section titled “Before you start”- The system enforces a minimum password length of 12 characters. You can require more, but you cannot go below 12.
- If you tighten the policy and existing passwords no longer meet the new rules, MapleGather offers to send password-reset emails to those admins.
- Session settings apply to admin accounts in your organization. Member-facing sign-in is separate.
Configure the password policy
Section titled “Configure the password policy”- Go to
Admin & Security→ Security → Password policy. - Under Password strength, set your requirements:
- Minimum length — enter a number between 12 and 128.
- Complexity — check any combination of Uppercase, Lowercase, Digit, and Special character.
- Password history — enter a number between 1 and 24 to prevent reuse of recent passwords.
- Under Account lockout, set Max failed attempts to a number between 3 and 20. After this many failed sign-in attempts, the account locks.
- Under Session lifetime, configure:
- Remember-me session — how long a “stay signed in” session lasts before the admin must sign in again.
- Workstation session — how long an ordinary (non-remember-me) session lasts.
- Re-auth threshold for sensitive actions — how long an admin can be inactive before they must re-authenticate to perform sensitive actions (such as changing a password, adding a payment method, or granting an admin role).
- Click Save policy.
If some existing passwords fall below your new minimum length or complexity rules, a notice appears. Click Send password-reset emails to prompt those admins to update their passwords.
Configure magic-link TTLs
Section titled “Configure magic-link TTLs”Magic links are the sign-in links MapleGather sends by email — for admin invitations, password resets, and similar actions. Each link type has a default TTL you can override for your organization.
- Go to
Admin & Security→ Security → Magic-link policy. - Review the table of link types and their current TTLs.
- Enter an override value in the Org override column for any type you want to change.
- Click Save TTL overrides.
Verify
Section titled “Verify”- Password policy: You’ll know it worked when you see the “Policy saved.” confirmation message.
- Magic-link TTLs: You’ll know it worked when you see the “TTL override saved.” confirmation message.
If something goes wrong
Section titled “If something goes wrong”- “Minimum length cannot be below 12 — this is the system floor.” — Enter 12 or higher in the Minimum length field.
- Password-reset emails not delivered — Ask affected admins to check their spam folder. If the issue continues, contact MapleGather support.
- Session lengths not taking effect — Existing sessions use the policy that was in place when they started. Admins will pick up the new settings on their next sign-in.