We strengthened our password security in two ways in this release.
- A modernized weak-password blocklist - replacing a list that required updating.
- Retroactive enforcement - users whose existing passwords do not meet the current policy will be prompted to update them at next login.
This change was driven by security pen-test findings to ensure the highest level of security standards.
1. Updated Weak / Common Password Blocklist
The list used by the "Avoid commonly used popular passwords" setting has been fully updated. .
Before vs After
| Before | After |
|---|---|
| A limited list of common passwords, unchanged since 2015. | A significantly expanded and modernized list, aligned with current security standards. |
| Only simple, well-known passwords were caught (e.g., password1, 123456). | Catches a much broader range of weak patterns, including passwords built from common words, names, and predictable variations. (e.g., password123, test1234, ..etc.) |
Examples of Passwords that were accepted before and are rejected now
To give a sense of what the update catches, here are a few concrete examples:
- test1234! > previously accepted; now rejected as a common pattern.
- Password1234 > previously accepted; now rejected.
- Smith123 > previously accepted; now rejected because "Smith" is a very common name.
- baseball / dragon > previously accepted; now rejected as common passwords.
Note: The examples above are illustrative, not exhaustive. Any password that is weak, predictable, or commonly used will now be caught.
2. Retroactive Password Policy Enforcement
Until this release, when an administrator updated the password policy (for example, raising the minimum length or requiring a symbol), the new rules only applied to newly created passwords. Existing users could continue using passwords that no longer met the policy, sometimes for years.
Starting with this release, the password policy is enforced retroactively across the entire platform.
How It Works
- When a user logs in, their current password is checked against the policy currently in effect.
- If the password does not comply, for any reason (length, complexity, symbols, common-password check, etc.), the user is prompted to set a new one before continuing.
- Active sessions are not interrupted. The check runs at the next login.
Where It Applies
The enforcement is active at every point where a user signs in:
- CGA
- TTShift
- TTPortal
User-Facing Message
When a password is rejected as common, the user will see:
- CGA:
- TTportal:
3. Who Is Impacted
The two changes have different impact scopes. The table below summarizes what each client should expect:
| Scenario | Affected by updated blocklist | Affected by retroactive enforcement |
|---|---|---|
| Client has "Avoid commonly used / popular passwords" enabled | Yes | Yes |
| Client does NOT have "Avoid commonly used / popular passwords" enabled | No | Yes (if password fails any other rule — length, complexity, etc.) |
| User has an active session at release time | No impact until next login | No impact until next login |
| User's existing password already complies with the policy | No action needed | No action needed |
Important: Retroactive enforcement applies to all clients. Any password that does not meet the currently configured portal password policy will trigger a forced update at next login.
4. What Do I Need to Do?
For administrators
- Review your current portal password policy settings before the release date. Retroactive enforcement will apply your existing configuration, whatever it is. to every user at next login.
- If the "Avoid commonly used popular passwords" setting is enabled, expect a higher number of users to be prompted to reset their passwords than in the past.
- Communicate proactively with your end users and guards before the release so the forced password change is not a surprise.
For end users (guards, supervisors, portal users)
- Existing passwords will continue to work for active sessions.
- At next login, if your password no longer meets the policy, you will be prompted to create a new one.
5. Release Timeline
- June 10th , 2026
6. Frequently Asked Questions
Will my users be locked out?
No. Users will not be locked out. If their password does not meet the policy, they are prompted to set a new one during the login flow and can continue immediately afterward.
What if I do not have the "Avoid commonly used / popular passwords" checkbox enabled?
The updated blocklist will not be applied to your users. However, retroactive enforcement of your other password rules (length, complexity, etc.) still applies. If you have any existing users with passwords that do not meet your configured policy, they will be prompted to update at next login.
Can I preview the updated blocklist?
The full list is not published for security reasons. The examples in Section 1 are representative of the types of passwords now being caught.
Why is this change being made now?
This addresses findings from multiple recent security pen tests that will ensure the highest ongoing security standards for clients.