Skip to main content

Overview

Your Recruitier account contains sensitive recruitment data — candidate profiles, client information, outreach history, and business contacts. Keeping your account secure protects both your data and your clients’ trust. This page covers password management, session security, and best practices.

Changing Your Password

To change your password:
1

Navigate to Settings

Go to Settings from the sidebar or profile menu.
2

Find the password section

Look for the Password Settings card on the left side of the settings page, below your profile information.
3

Enter your current password

Type your current password to verify your identity. This step prevents unauthorized password changes if someone gains temporary access to your logged-in session.
4

Enter your new password

Type your new password. Make sure it meets the password requirements listed below.
5

Confirm your new password

Re-type your new password to confirm you entered it correctly.
6

Save changes

Click Save or Update Password to apply the change. You will see a confirmation message once the password has been updated successfully.
After changing your password, your current session remains active. You do not need to log in again immediately. However, all other active sessions (on other browsers or devices) are invalidated and will require logging in with the new password.
Changing your password invalidates all existing JWT tokens across all devices. This effectively logs you out from every other device and browser, providing an immediate security response if you suspect unauthorized access.

Password Requirements

Your password must meet the following criteria to ensure account security:
  • Minimum length — At least 8 characters long
  • Complexity — A mix of uppercase letters, lowercase letters, and numbers is strongly recommended
  • Uniqueness — Do not reuse passwords from other services
Avoid using easily guessable passwords such as “password123”, your name, your company name, or common dictionary words. These are vulnerable to brute-force and dictionary attacks. Use at least 12 characters for stronger security.

Forgot Your Password

If you have forgotten your password and cannot log in:
1

Go to the login page

Navigate to app.recruitier.com/login.
2

Click 'Forgot Password'

Below the login form, click the Forgot Password link.
3

Enter your email address

Type the email address associated with your Recruitier account.
4

Check your email

You will receive an email with a password reset link. Click the link to set a new password.
5

Set a new password

Enter your new password on the reset page. Make sure it meets the password requirements above.
The password reset link expires after a limited time for security reasons. If the link has expired, request a new one by repeating the forgot password process. Check your spam folder if the email does not arrive within a few minutes.

Logging Out from All Devices

If you suspect that someone else has access to your account, or if you simply want to ensure that all sessions are terminated:
  1. Change your password using the steps above
  2. Changing your password invalidates all existing JWT tokens
  3. All other sessions will be required to log in again with the new password
This effectively logs you out from every device and browser except the one you are currently using. The token invalidation happens immediately — there is no delay.
If you use Recruitier on a shared computer (such as in a co-working space), always log out when you finish your session. Do not rely solely on closing the browser tab, as session tokens may persist in the browser until they expire.

Security Best Practices

Use a Strong, Unique Password

Choose a password that is:
  • At least 12 characters long (longer is better)
  • A combination of letters, numbers, and special characters
  • Not used for any other service or website
  • Not based on personal information (birthdays, names, addresses)

Use a Password Manager

Consider using a password manager like 1Password, Bitwarden, or KeePass to generate and store strong, unique passwords for all your accounts, including Recruitier. Password managers eliminate the need to remember complex passwords and make it easy to use a different password for every service.

Be Cautious with Shared Devices

If you access Recruitier from a shared or public computer:
  • Always log out when you finish your session
  • Never save your password in the browser on shared devices
  • Use private or incognito browsing mode when possible
  • Clear the browser cache after your session

Recognize Phishing Attempts

Recruitier will never ask you for your password via email. If you receive an email that appears to be from Recruitier asking for your password or login credentials, it is likely a phishing attempt. Do not click any links in suspicious emails. Instead, go directly to app.recruitier.com in your browser.

Keep Your Email Secure

Your Recruitier account is linked to your email address. If someone gains access to your email, they could use the password reset feature to access your Recruitier account. Make sure your email account is also protected with a strong password and, ideally, two-factor authentication.

Regular Password Updates

While there is no mandatory password rotation policy, it is good practice to change your password every few months, especially if:
  • You suspect your credentials may have been compromised
  • You shared your password with someone temporarily
  • You used your password on an untrusted network or device
  • You received a data breach notification from another service where you use the same password

Advanced

Authentication Architecture

Recruitier uses JWT (JSON Web Tokens) for session management. Here is how the authentication system works:
ComponentDetail
Token algorithmHS256 (HMAC with SHA-256)
Token expiryApproximately 2 days
Password hashingbcrypt with automatic salting
Token revocationDatabase flag + Redis cache (5-minute TTL)
How token revocation works: When you change your password, all existing tokens are marked as revoked in the database. To avoid hitting the database on every API request, the revocation status is cached in Redis with a 5-minute TTL. This means:
  • Token revocation takes effect within 5 minutes across all sessions
  • The Redis cache significantly reduces database load during authentication checks
  • After 5 minutes, all cached tokens are refreshed from the database
  • New login requests always check the database directly (cache miss on first check)
Login flow:
  1. You submit your email and password
  2. The password is verified against the bcrypt hash stored in the database
  3. A JWT token is generated with your user ID and expiry timestamp
  4. The token is returned to your browser and stored for subsequent API requests
  5. Each API request includes the token, which is validated against the revocation cache
Password change flow:
  1. Your current password is verified
  2. The new password is hashed with bcrypt and stored
  3. All existing tokens for your account are marked as revoked
  4. The revocation cache in Redis is updated
  5. Your current session receives a new valid token
  6. All other sessions will fail authentication within 5 minutes (cache TTL)

OAuth2 Email Security

Your connected email providers (Gmail/Outlook) use a completely separate authentication mechanism (OAuth2). Changing your Recruitier password does not affect your email connections. Similarly, changing your Gmail or Outlook password may invalidate the OAuth2 tokens, requiring you to reconnect in Recruitier, but does not affect your Recruitier login.

Data Protection

Recruitier implements several layers of data protection:
  • Encryption in transit — All communication uses TLS/SSL encryption
  • Encryption at rest — Database data is encrypted using AWS-managed encryption
  • Infrastructure security — The platform runs on AWS with managed databases, automated backups, and infrastructure monitoring
  • Role-based access — Agency team members have role-based permissions (Admin, Admin Member, Member) controlling what data they can access
  • Payment isolation — All payment data is handled exclusively by Stripe (PCI DSS Level 1 compliant) and never stored in Recruitier’s systems