Secure Zone password set/reset: Provide alternative bulk password send rather than password reset token email

Treepl system provides the ability to set a password in CRM admin, one user at a time. Extremely time consuming if we have to do it for 200+ users.

Business Catalyst used to have the ability to create a password that could be sent in a bulk email send, to a bulk number of users. The password is generated by the system and is pushed to the user, not where the system requires the user to set the password via a token link.

THE PROBLEM WITH PASSWORD TOKEN RESETS SENT BY EMAIL:

We are still finding many corporate users never receive the password reset email because spam filters do not trust the link token in the email.

It means we cannot use Treepl for Secure Zone usage the way it is currently set up. Security filters on more advanced IT systems within large organisations are very strict (and getting more so), and immediately delete an incoming email that appears vaguely untrustworthy - a long security token link inside a password reset email looks like it could be a threat - will be deleted, not even delivered to spam or junk.

This happens for both a custom domain as well as using trustedemail.co

However, if we set the password for users and send it to them, they can still login. In some cases the external system then records trust and may allow future password reset emails through. If not, there needs to be another way.

Business Catalyst allowed us to push passwords to users in bulk, not just one at a time. If it worked for BC, why can’t it be applied to Treepl?

I think Treepl’s failure to address this problem of the ‘password token in email’ and remedy it is a significant downside to the system and I have been flagging this in public forum, within internal partner comms and in tickets for the past three years. For us, this is the last year our corporate clients will be willing to use the Treepl system if this problem continues (and it is occurring where the user base consists of 15+ external corporate systems including major global insurance corporations).

This is probably due to advances in online security practices.


I think there are 2 separate issues to look at here:

  1. To keep up with modern login options (2FA/MFA, SSO/Social accounts used for logins and signups, Passkeys, Temporary/1-time passwords, and whatever else evolves).
    There is a backlog started around this: Google and Facebook Sign On For Secure Zones

  2. Bulk password resets. What is the use case for needing to reset users’ passwords in bulk and supply many users with new ones?

I can’t help think also, that an overly strict security protocol that blocks long tokenized links wouldn’t also block an email that says “Here’s your password: …” and has a password in plain text. Surely that would seem more suspicious in this day and age. So it may be that resetting a user’s password and emailing it to them wouldn’t solve the original problem anyway (as well as being less secure overall).

Hi Adam, on point 1 sounds promising.

Point 2: no not bulk password change, what I mean is bult email send with a password link OR indeed the actual password sent to users as currently happens if we set the password for the user and send to them individually.