Most LeakTrace customer surfaces do not use passwords. The exceptions and the password policy are below.
Surfaces with no password
Every business product — Scope audit dashboard, monitoring dashboard, customer hub, website editor, BEC audit report, auditor read-only — uses token URLs. The link itself is the credential. No password to remember, no password to leak.
Surfaces that still use a password
The legacy individual product (/dashboard/, /monitoring/, /account/ when accessed via Django auth) uses a username + password login. If you signed up before the business product launch, this applies to you.
Password policy
- Minimum 12 characters.
- No reused breached passwords. We check against the HIBP database at registration and on password change.
- Stored with bcrypt hashing (Django's default), salted, never recoverable in plaintext.
Reset a password
Use the Forgot password link on the login page. We email a one-time reset token to your registered address. The token expires in 24 hours.
Two-factor authentication
Two-factor is not currently offered on the legacy individual product. It is on the roadmap. For business products, the security model is the token URL — which provides equivalent protection if you treat the link as you would a password (do not share, do not commit to public repos).