Account Security and Password Resets
Last Edited 10/20/22
On October 20th 2022, Tentaroo released an overhaul of our password reset process for both admins and end-users, which included changes to how end-user passwords are stored. We've updated our best practices for account security and support below:
All passwords are now encrypted for security. Both admins and users should set strong passwords or pass phrases that are easy to remember but difficult to guess.
- Passwords are case sensitive.
- Minimum 8 characters.
- Special characters are supported.
Forgotten Admin Passwords
As always, admin passwords are one-way hashed and encrypted. If you've forgotten your password, please click on the Forgot Password link on the login screen and enter your email address. You will then receive an email from Tentaroo containing a verification link that can be used to reset your password.
- The link will expire after 24 hours.
- If you have more than one account associated with your email address, you will be asked to select the one you wish to reset.
- Each link can only be used once per account.
All admin accounts must use a functional email address! This new process requires admins to receive emails at their associated email addresses, If any existing admin accounts use non-functional addresses, a system admin should change their associated emails using the Tentaroo Legacy Air App.
Logged in as an Admin but Seeing My User Account
Admin accounts always use an admin's email address as their login. If the admin logs in and sees their user account instead, it may mean that the same email address is set as the login ID for their Individual / Family or Unit account and the system only recognizes one of the two when logging in. You can confirm this by clicking on the Select Client box and searching for the individual's name. Any accounts that they are tied to should be checked to see if the email address is being used as the login ID. Here's how to separate the logins:
- In the user account, click on Manage Profile and change user ID to something besides the email address.
- Log out, clear the browser cache, and log in using the admin credentials.
Unit, individual/family, and non-BSA account passwords are now one-way hashed and encrypted, just like admin passwords. This means they can no longer be retrieved by anyone and must be reset if lost or forgotten.
Please direct users to select Forgot Password, which will send them a verification link to allow them to reset their password. This link will be sent to both account contacts, but otherwise works identically to the link for admins:
- It will expire after 24 hours.
- It can only be used once per account.
- If an email address is used for more than one account, the user must choose an account from a list.
Admins can also send a reset link to account holders or set a temporary password from within the account settings. However, users will be required to reset their password upon login anytime someone besides the account holders view their password, such as when:
- The council creates a new account, either manually or through an Akela import.
- The council changes a password.
Setting temporary passwords for user accounts should be a last resort. First, confirm and/or update account contacts. Second, send a reset link to the correct contacts. Finally, if they are unable to reset their own password, set a temporary password which they will need to update when they login for the first time.
If users no longer have access to their account's contact emails (for example, if leadership transitioned without a proper hand-off), update the contacts to current leaders based on Akela / My.Scouting data and send new unit leaders the reset link from their account settings.
Please share the Account Access and Password Management page of our Users' Manual with your units and families.