Security
The Security page handles your account credentials. Today you can change your password here. Two-factor authentication and active-session management are on the roadmap.
To open it, go to Settings → Security in the sidebar.
Changing your password
The page has a single form:
| Field | Required | Notes |
|---|---|---|
| Current Password | Yes | Confirms it’s really you |
| New Password | Yes | Must meet the password rules below |
| Confirm New Password | Yes | Must match the new password |
Password rules
| Rule | Why |
|---|---|
| At least 8 characters | Hardens against guessing |
| At least one letter | Mixes character types |
| At least one number | Mixes character types |
| Different from your current password | Avoids accidental no-op changes |
Examples that pass:
Tax2026!Compliance123BlueOcean42
Examples that fail:
password— no number12345678— no lettertax— too short
The form checks the rules as you type, and Assure Pro double-checks when you save.
What happens when you save
- Assure Pro stores your new password securely.
- You stay signed in on this device.
- Other devices or browsers where you were signed in get signed out — they’ll need to sign in again.
- A green confirmation appears: “Password changed successfully.”
Assure Pro doesn’t send you an email about the change today. Email confirmation on password change is on the roadmap.
[Screenshot: Change password form]
Resetting a forgotten password
If you can’t remember your password:
- Sign out (or close the browser).
- On the sign-in page, click Forgot password.
- Enter your email.
- Check your inbox for a reset link.
- Click it and set a new password.
The reset link works once and expires after 30 minutes.
Account lockout
After 10 failed sign-in attempts in 15 minutes, your account locks for 30 minutes. During lockout:
- Sign-in attempts show “Account temporarily locked”.
- The Forgot password flow still works — using it clears the lockout.
The lockout protects against brute-force attempts without permanently blocking you out.
Signing out
The sign-out button lives in the sidebar, at the bottom of the user menu — not on this page. Clicking it:
- Ends your login session.
- Sends you back to the sign-in page.
Signing out on this device doesn’t sign you out on others — they keep their own session until it expires. Managing other sessions is on the roadmap.
What’s missing today
| Feature | Status |
|---|---|
| Two-factor authentication | Roadmap — authenticator apps and security keys planned |
| Active sessions view | Roadmap — “see where I’m signed in” |
| Sign out a specific device | Roadmap |
| Password strength meter | Roadmap |
| Passkeys (passwordless) | Roadmap |
| Single sign-on for enterprise | Roadmap |
| Forced password rotation | Not planned — modern guidance is “rotate on breach”, not on a schedule |
If your firm needs two-factor today, use a password manager (1Password, Bitwarden) with strong unique passwords. Two-factor is a known gap on our side.
What this page won’t do
| Setting | Where to do it |
|---|---|
| Change your email address | Not yet in the UI — on the roadmap |
| Change your name or phone | Top-right user menu → Profile |
| Reset another teammate’s password | Not possible — only the user themselves can reset their password. Direct them to Forgot password on the sign-in page. |
| Manage shared firm logins | Firm credentials |
Audit log
Password changes show up in the firm activity log:
May 22, 4:12 PM Jane Chen changed her password.Firm owners can review this through the activity timeline.
Permissions
Anyone can change their own password. No permission gate.
There’s no admin “reset another user’s password” function today. Admins can revoke a user’s account (roadmap) or rely on the user’s own Forgot password flow.
Next
- Team & permissions — managing who has firm-level admin access.
- Firm credentials — shared logins, separate from your personal password.