Passwords & Reset

This page covers the password rules NemoRouter enforces and how to recover a forgotten password.

Password policy

The only requirement is length — there are no forced character types:

We follow the NIST 800-63B guidance: length protects an account far more than forced uppercase/lowercase/digit rules, which mostly add friction. Use a long passphrase you can remember.

Examples that fail: pass12 (too short, 6 characters). Examples that pass: correcthorse, MyDogIsNamedRex.

The same policy is applied on the server, so a password that's accepted by one screen will work on every other screen.

Resetting a forgotten password

1. On the sign-in page, choose Forgot password? (or go to /forgot-password).
2. Enter your email and submit.
3. You'll always see "If that email is registered, a reset link has been sent." — this generic response is intentional and doesn't reveal whether the address exists.
4. Open the email and click the reset link. It's valid for 1 hour.
5. You land on the Update Password page. Enter a new password (twice) that meets the policy.
6. On success, your other active sessions are signed out and you're redirected to your dashboard.

You do not need your old password to reset — clicking the emailed link proves you own the account.

Changing your password while signed in

From the dashboard, go to Settings → Security and use Reset password. This kicks off the same email-link flow above.

What you'll see if something's wrong

Reset requests are rate-limited (a few per hour per email and per IP) to prevent abuse.

Next steps

• Logging In — All sign-in methods
• Two-Factor Authentication — Add a second factor for stronger protection
• Security Settings — Manage sessions, SSO, and MFA