Overview
Apptrove uses multiple security controls to protect user accounts during login, forgot password, and password reset flows. These measures help prevent unauthorized access, brute-force attacks, and password misuse, while keeping the experience clear for users.
This article explains how password rules, attempt limits, and reset protections work, and what messages users may see.
Password Reuse Prevention
What This Means
To improve account security, Apptrove does not allow reuse of recently used passwords when creating or resetting a password.
How It Works
Apptrove securely stores a history of previously used passwords for each user
Passwords are stored only as salted and hashed values
Plaintext passwords are never stored or logged
Users cannot reuse their last 5 passwords (configurable)
Why This Exists
Prevents reuse of compromised passwords
Reduces risk from password leaks across other platforms
Protects against credential stuffing attacks
User Message
When a reused password is detected:
“You cannot reuse your recent passwords. Please choose a new password you haven’t used before.”
Login Attempt Limits & Temporary Account Lock
What This Means
To protect against brute-force login attempts, Apptrove limits failed login attempts and temporarily locks accounts when needed.
How It Works
A maximum of 5 failed login attempts is allowed within 1 hour
Failed attempts are tracked per user account
After 5 failed attempts:
The account is locked for 1 hour
No login attempts are allowed during this period
Even correct credentials will not work until the lock expires
User Messages
After a failed attempt (before lock):
“Invalid email or password. Please try again.”
When the account is locked:
“Your account has been temporarily locked due to multiple failed login attempts. Please try again after 1 hour.”
During the lock period:
“Your account is locked due to repeated failed login attempts. Please try again later or reset your password.”
Forgot Password Request Limits
What This Means
Apptrove limits how often users can request password reset emails to prevent abuse and email flooding.
How It Works
A maximum of 3 forgot password requests per hour is allowed per email address
Once the limit is reached:
Further requests are blocked until the cooldown period ends
This limit applies even if the email does not exist, preventing account discovery attempts
User Messages
On successful request:
“If an account exists, you will receive a reset link.”
When the rate limit is exceeded:
“You have requested password resets too frequently. Please try again after some time.”
Password Validation During Reset
What This Means
Additional checks ensure new passwords are not the same as recent ones during password reset.
How It Works
During reset, the new password must be:
Different from the current password
Different from the last 3 previously used passwords
Validation happens before the password is saved.
User Messages
Same as current password:
“New password must be different from current password.”
Same as recent password history:
“New password must be different from your last 3 passwords.”
Key Takeaways
Password reuse is restricted to improve security
Login attempts are limited to prevent brute-force attacks
Forgot password requests are rate-limited
Reset flows enforce stronger password validation
All protections work automatically and do not require user configuration
We are delighted to have assembled a world-class team of experienced professionals who are ready to take care of your queries and answer any questions you may have.
Feel free to reach out to us at any time by emailing us at support@apptrove.com or by using the in-platform chat feature. We'd love to hear from you!
