Password Protection
Every shared audit report is protected by a password. Visitors must enter the correct password before they can view any report content. This ensures that audit findings are only accessible to people you explicitly share the credentials with.
How Password Protection Works
Section titled “How Password Protection Works”When someone visits a shared report URL:
- A password prompt appears. No report content, scores, or branding is visible before authentication.
- The visitor enters the password.
- If correct, the full report loads and is accessible for that session.
- If incorrect, an error message appears and they can try again. There is no lockout after failed attempts.
The password is a simple text string — not tied to user accounts, email addresses, or any other identity system. Anyone with the URL and password can view the report.
Auto-Generated Passwords
Section titled “Auto-Generated Passwords”When you create an audit, JetStack AI automatically generates a random password for the report. This password is:
- Randomly generated with sufficient complexity
- Visible to you in the audit settings panel
- Ready to share with your client alongside the report URL
You do not need to set a password manually unless you want to customize it.
Viewing the Current Password
Section titled “Viewing the Current Password”To see the current password for a report:
- Open the audit from the Audits list.
- Navigate to Report Settings or the sharing panel.
- The current password is displayed (click to reveal if hidden).
- Use the Copy button to copy it to your clipboard.
Changing the Password
Section titled “Changing the Password”To change a report’s password:
- Open the audit from the Audits list.
- Navigate to Report Settings or the sharing panel.
- Click Change Password.
- Enter the new password.
- Click Save.
The new password takes effect immediately. Anyone who previously had the old password will need the new one to access the report on their next visit.
When to Change the Password
Section titled “When to Change the Password”- Before sharing — If you want to use a specific, memorable password instead of the auto-generated one
- After a contact leaves the client’s organization — Rotate the password to prevent former employees from accessing the report
- After accidental exposure — If the password was shared more broadly than intended
- Periodic rotation — For long-lived reports that remain shared for months
Password Best Practices
Section titled “Password Best Practices”| Practice | Recommendation |
|---|---|
| Complexity | Use a password that is easy to type but not easily guessed. A short phrase or combination of words works well. |
| Delivery | Send the password in a separate message from the report URL when possible, or use a different channel (e.g., URL via email, password via Slack). |
| Storage | Clients may bookmark the report URL. Ensure they also save the password somewhere accessible. |
| Simplicity | Avoid overly complex passwords with special characters. Clients need to type this manually, and friction reduces engagement. |
| Uniqueness | Use different passwords for different client reports. If one password is compromised, other reports remain protected. |
Session Behavior
Section titled “Session Behavior”After entering the correct password:
- The client can view the report for the duration of their browser session
- Closing the browser or clearing cookies requires re-entering the password
- There is no “remember me” option — each new session requires the password
- Multiple people can be viewing the same report simultaneously with the same password
Security Considerations
Section titled “Security Considerations”Password protection provides a reasonable level of access control for audit reports. It is designed to prevent casual or accidental access, not to protect highly sensitive or regulated data.
Key points:
- No account required — Clients do not need to create an account or verify their email. This reduces friction but means you cannot audit individual access.
- No attempt limits — There is no lockout after failed password attempts. The auto-generated password’s complexity provides protection against brute force.
- No expiration — Passwords do not expire automatically. Rotate them manually when needed.
- No encryption at rest — The report content is stored on JetStack AI’s servers and served over HTTPS. The password controls access to the URL, not encryption of the underlying data.
If your client requires stronger access controls (SSO, audit logs, IP restrictions), contact JetStack AI support to discuss enterprise options.
Revoking Access
Section titled “Revoking Access”To completely prevent access to a report, change the password to something only your internal team knows. Existing browser sessions with the old password will not be terminated, but any new visits will require the updated password.