Your browser is no longer supported! Please upgrade your web browser now.

Improved Password Security

Your Harvest password is an incredibly important part of the defenses that keep your account safe. In the last few months, we’ve amped up our password security measures, giving your data more protection than ever.

Tighter Password Security

The way we handle passwords is safe and secure every step of the way.

Secure set-up
The Harvest Welcome Email includes a link to a secure password set-up screen. We’ll walk new users through a super-simple process that leaves no guesswork as to whether their password makes the grade.

Safe reset
If you forget your password, we’ll email you a link to reset it.  Your Harvest password is never visible in your account, and it is never sent over email.

Strong requirements
We’ve tightened the belt on what you need – all new passwords must be at least 8 characters and receive a “Good” or “Strong” rating from our new strength indicator (you can try to save a weak password, but we won’t let you). Due for a new one? There’s no better time than now to update your password! Just head to the new Password section of your profile and take a few seconds to make yours more secure.

We know you’ve got a lot on your mind, but you can rest easy knowing that your Harvest account is safer than ever before. Stay tuned for more information on the ins-and-outs of password security, and don’t hesitate to send any feedback our way!

Thoughts or questions about this post? Need some help?
Get in touch →

This was posted in Product News.
  • Yay new improved security!!

    I honestly wish more effort was put into the ability to generate and print Receipts (proof of payment) so the clients wouldnt be on my ass all the time.

  • Coolio. Any updates on the native mac harvest app? I could really use it.

  • Hmmm…. forcing passwords to be letters, numbers AND symbols is a fast way of pissing people off. You don’t need all three, and users hate it too.

    Are you *really* going to force this?

  • I have to second Matt Hill. Requiring the three is unnecessary. My bank doesn’t even require all of the above, nor does any social network, or any other major site on the net. Despite this seemingly good intentioned act, folks like to use the same password on multiple sites. Asking folks to come up with a new ‘!33T’ password is pretty annoying. So, my vote is, please don’t more forwards with this.

  • I’m not as critical of this move as the above two commenters, I think it’s probably a good idea. You should never use the same PW for any two sites, and have a good, robust system to manage them. If you can remember your PW, it’s not a good enough one, in my opinion. With so many password management tools available now, with mobile, desktop, and web app versions, there is no reason to not use really secure passwords.

  • Nathan Porter on February 23, 2012

    I am with Harvest on this one. Folks do like to use the same password on multiple sites, and that has got to be one of the least secure things that you can do. A breach on one site means a breach on all. I recommend that you start using a password manager like lastpass or keypass if you want to keep it local.

  • I hope more sites follow Harvest’s lead here. Passwords are thrown around too easily on the internet. One site/system gets hacked and they could have your password for dozens of sites. I second a password manager. Personally I use 1password and it’s great. Unique, strong passwords for every service I use.

  • After doing a bit of reading on this subject recently is would appear that the better format for passwords is stringing words together to make long passwords which don’t require symbols. Phrases such as cheesebuildingsquirrellounge are stronger passwords than Ch33$Ey and easier to remember.

    It might not be the most likely source but I trust this guy

  • Personally I think this guy has it right

  • What about adding a double auth mechanism, like the hidden feature with Google. You log in, and it verify’s you identity by sending a code to your phone.

    Then the password you use is almost irrelevant.

  • Why not make it optional for the company to choose? I for one don’t need my users having terribly secure passwords to Harvest, and it just makes their lives harder because we don’t use password aggregators yet.

  • I am with Harvest on this. Passwords are *the* link that controls our access to most remote systems. Just because people want to use simple/weak passwords does not make it acceptable. The same people upset about “forcing” secure passwords will be lining up in anger at Harvest if their accounts ever get hacked.

    It literally takes a few minutes to setup a secure password management system, be it 1Password, LastPass, or system like KeePass. Systems like 1Password and LastPass even handle the login to each web site in an automated fashion. There is NO excuse to not use such a system anymore. Please do yourselves a favor and protect yourselves properly.

  • I am in the middle of dealing with a hacker who cracked into a club website because one of the members stupidly changed her password to the word “Password.” So I am absolutely on board with the new requirements.

    I plan to institute the very same method at the club website in the future. Anyone who complains about this can sit on their own butt at 1:00 in the morning trying to sort out the damage.

  • I’m on Matt Hill’s side on this as well. Some measure of password security is fine but _requiring_ all that extra hoopla is more annoying than secure.

    Another thing though: *please* allow accessing the API with a per-user API key! We run some scripts regularly and it’s quite annoying having to have my email and password lying around on our server. OAuth is overkill for us, simply being able to use an API key that’s not my password (automatically generated and easily re-generated) would be very helpful.

  • +1 for the password manager option (Personally I use LastPass)

    Arguing that it’s too inconvenient to have a secure password just doesn’t cut it.

  • You might want to take note of this xkcd cartoon on entropy, random characters.

  • This xkcd on entropy and required characters would seem particularly appropriate –

  • I think this is a bad idea and doesn’t improve security on the long run. Forcing people to choose a password that has a minimum of 8 characters and consists of 3 different character types may result in a harder to crack password but is in most cases harder to remember. This will either result in people using the same 8-character-long, 3-character-type password for all their accounts or, even worse, people using a very unsafe way of remembering their cryptic password.

    Don’t make security a problem for the user, keep it a problem for you; the company that makes secure software.

    On a less serious note: maybe this XKCD should be included on all set-your-password-pages:

  • +1 on the xkcd ( vs symbols and mixed case. i’m obviously missing something here, it’s probably because i’m using oauth.

    • Thanks, all, for your feedback. Positive or otherwise, I’d rather we have this discussion than not.

      To be crystal clear, your password only needs to use 2 out of 3 character types. This qualifies as a good password, which we will allow you to save. Sorry for the confusion, and I’ve changed this post a bit to clarify that. However, strong passwords DO require all three character types, and we want to nudge people in this direction.

      I know this is somewhat annoying. However, we’re not doing this to annoy people. We’re doing this to help protect people’s accounts. Remember, Harvesters are people, too, and we’ve all got lots of passwords to track. We sympathize with you, but we also want your data to be safe.

      One last note – we’re not requiring that anyone change their current password. Existing users can still sign in to Harvest, so this update only affects new customers and those who choose to change their password. It’s up to you to leave your password as-is or not, but we’re not going to be shy about advocating better password security.

      More questions? Feel free to leave them here or send ’em in to

  • Unless having a weak password put your server(s) at risk (I can’t imagine that to be the case), you should leave the choice to your customers.
    Having to reset my password every few days will probably be more annoying and costly than having somebody hack into my account.

    +1 on the xkcd on password strength

  • Sorry guys, strong passwords are no problem with something like 1Password – you remember one very hard password and the software fills on passwords unique for each site and as strong as you want.

    It is essential to have strong passwords and different ones these days, even the good guys at harvest might be attacked and you never known.

  • I have to agree with the other commenters – this is all fairly decent news, password hashing and reset is really great, however the password policy stuff is not so good.

    Enforced password policies are bad news, I believe there are better ways of increasing security, without impacting on the UX.

    I’ve always had a bit of a bugbear about it, I decided to give a bit more detail in a blog post, feel free to take a look if you get chance.

    Cheers guys.


  • Quick note for our xkcd readers:

    The method from that comic (mostly) works too. For example:

    Harvest passwords are draconian

    Is a perfectly acceptable password/passphrase to use with our new policy. It contains an uppercase character, and a symbol (space)!

  • Douglas Brown on February 24, 2012

    It’s a security issue that I fully support. Quite honestly, if you’re that lazy in your password management, then you’re going to get hacked. It doesn’t take long to formulate a password that conforms to this method that you can quickly enter.

  • Security conscious users will have already a secure passwords. Those who don’t care will not click the link to this page.
    I’m guessing most users of Harvest are well-educated in IT and this is unnecessary, and will probably be perceived as an annoyance.

  • Harvesters concerned about security should read Steve Gibson’s Password Haystack article ( or listen to his Security Now podcast on the topic. The notion that complex passwords are inherently more secure is not strictly true. The critical aspect to deter brute-force attacks is password length. It may seem anti-intuitive, but an easy-to-remember password (such as ****D0g****) is significantly more secure than something like H@v$s!2T. Password padding can give you the best of both worlds: long enough to resist brute force attacks, yet simple to recall.

    Recent server-side attacks that compromise service providers’ entire customer databases (name, address, password, credit card #s) are much more troubling. I encourage the Harvest team to focus security efforts to ensure that our personal data is truly secure from hacker attacks. Are you salting the hashes? Are passwords and other customer info segmented and stored separately? Are the servers holding customer password, credit card number and other sensitive info completely and totally isolated from office PCs that have internet access? Do you have a comprehensive IDS system in place monitoring your networks for evidence of intrusion? Are your security policies and procedures rigorously and regularly audited by a third-party security expert?

    While I acknowledge your initiative to force stronger passwords on your customers, the real security risk to our data is server-side.

  • 5 demerits, guys. Go to SlashDot and look up all the articles that explain password policies of this nature are not particularly secure, but are ANNOYING.

    You’ve just given me ONE MORE REASON TO TRY A COMPETITOR’S PRODUCT, and trust me, you’re not so great that I haven’t been thinking about it.

    With all frankness.

  • P.S. You’re telling me what my password has to be? First time you reject a password I want to use, which I know is perfectly secure, I’m gone. I’m the customer, and if you don’t understand this, and let your tech team (which obviously) or whomever make these sorts of decisions…

  • Password complexity is a joke. It’s length that matters [yes, “that’s what she said”].

    So here’s my recommendation:

    If the length of the password is greater than or equal to 12 characters, do not require special characters, numbers or mixed case. That’d be a great alternative that supports true password security and start what should have been done ages ago… encouragement of passphrases not words.

  • Abilio Henrique on February 26, 2012

    Everyone could just use the Google Auth integration in the first place… that way you can pick whatever passwords Google will accept.

  • @Chad etc:

    Length at least increases the relative complexity of a brute-force attack. “Compexity” as presented here really means nothing computationally: an uppercase or lowercase letter is more complex for a human to remember (= >> lowered convenience), but a brute-force or similar attack doesn’t give a darn; a character is a character.

    So there’s a sense of purely false security here, which dismays me in its naiveity and what it says about what Harvest doesn’t know about the basics of security. Because the above, really does little to nothing to improve security– it’s security theatre.

    There are of course lots of things Harvest could do to ensure security of accounts/data, including proper backups, revisioning and rollback procedures, monitoring/logging account logins in a transparent manner accessible to end-users, and providing notifications when unusual login attempts or actual logins occur (ie, an email that says “your account was just accessed from IP x.x.x.x, which is in Nigeria. Was that really you?”).

    The evident lack of these substantive procedures, and the substitution of ideas that were outdated in 1995, gives me significant reason to reconsider the use of Harvest.

  • This is a bad and unnecessary move. Modern security standards should dictate the strongest combination of characters that still remains human and memorable for the individual.

    Given the number of online tools most individuals small companies use already, and the general lack of 1Password-type automated password completion app usage apart from a select few users, this simply forces the majority to have to write down a long and obscure set of characters to be able to get in.

    Adding or improving more server-side security would seem a far more appropriate method. It would make the geeks and the regulars happier. The volume of ‘ill sue you!’ toned comments above is a bit silly, but does deserves attention.

  • Above all the discussion about what a secure password should be (or not), there is a principle that has not been written about very much.

    I like to be educated about safety in general and about websites access in particular, but after that I would like to be able to make my own decissions. With this policy I have to trade in a risk of a breached password by a hacker to a risk of a breached password because my people have to write down a non-human password on a piece of paper.

    So I think it would be a good cause to leave the choice of mandatory safe password to the administrator of the account.

  • @Chad @Kenneth @Gavin

    I don’t know if you guys got chance to read my blog post that I linked above – but the point I was making is that password length, and/or it’s vulnerability to be brute forced should be a moot point.

    Even if my password is 3 characters long, by the time the automated script has made 3 or 4 failed attempts in quick succession the system should have picked up on this and locked them down.

    Or better still, the system should detect a non-human request immediately and lock it out.

    The password and it’s guessability isn’t really the weak link – it’s the system which even allows an automated attack to be launched upon it that is at fault.

  • Enforcing “best” security practices, forces -worst- security practices. If you make the user unable to remember their password, they WILL write it down. And now you’re worse off than before. Both from a security perspective, and an overhead cost one, as you constantly reset users passwords.

    You really want to push forward the state of security, stop allowing multiple password attempts per second. No human will ever be trying their password more than once every 10 seconds. And implementation of a working system is insanely easy.

  • Hi all – Thanks again for your feedback. We’ve been discussing some of the issues brought up here, and we’re going to be tweaking our current requirements. We’ll report back once those changes are finalized.

  • I just wanted to let you know that we no longer require a combination of characters in new Harvest passwords, and now you get credit for having a longer password, regardless of combining character types.

    Our requirements are based on a point scale – If your password gets a certain number of points, it passes. This isn’t actually different from how we were doing things before, except we’ve made it so you don’t have to use more than one character type, and we reward longer passwords. This means your password could be something like Harvestisgreat. It’s long, but it’s certainly easy to remember.

    If you’re curious about exactly how we rate passwords, these are our criteria. Your password must get at least a “3”:

    – 1 point for length of 8+
    – 1 point for every 2 characters after the first 8 (**this is new**)
    – 1 point for using lowercase
    – 1 point for using uppercase
    – 1 point for a digit
    – 2 points for a non-alphanumeric character.

    Also, we won’t let people save known weak passwords like their name/email address, or anything that includes popular substrings (like “password”, 12345678, etc).

    By removing the 2-character requirement, people have more leeway and should still be able to create something memorable and secure.

    Most importantly, remember that existing customers aren’t required to change anything. If you decide to update your password, great, but we’re not forcing anything.

    Feel free to leave any questions or email

  • @Samara

    This is great news, really pleased to see you taking the opinions of the users into consideration and changing your plans on this.

    Again, you guys do a cracking job on this product – which is why we enjoy using it so much.



Comments have been closed for this post.
Still have questions? Contact our support team →