SI Report - Full Analysis
The AI section, the CTA text is stating the business is visible when the AI Model results state that it is not visible on any. Possible hard coded CTA text - not sure if this could be made dynamic if no AI visibility across all 3 models or not.
Daniel Fawcett about 2 hours ago
General
π Bug Reports
SI Report - Full Analysis
The AI section, the CTA text is stating the business is visible when the AI Model results state that it is not visible on any. Possible hard coded CTA text - not sure if this could be made dynamic if no AI visibility across all 3 models or not.
Daniel Fawcett about 2 hours ago
General
π Bug Reports
MCP returning wrong verification data
The AI Hub MCP currently returns "verified": false for many reviews, which are considered verified on widgets, when cross-checked. Some findings: All Google reviews are "verified": false All Testimonials reviews are "verified": false All Tripadvisor reviews are "verified": false All Trustpilot reviews are "verified": true Yet all of these show verified on widgets.
Severi about 22 hours ago
π Bug Reports
MCP returning wrong verification data
The AI Hub MCP currently returns "verified": false for many reviews, which are considered verified on widgets, when cross-checked. Some findings: All Google reviews are "verified": false All Testimonials reviews are "verified": false All Tripadvisor reviews are "verified": false All Trustpilot reviews are "verified": true Yet all of these show verified on widgets.
Severi about 22 hours ago
π Bug Reports
Testimonials review source name
Please allow us to configure the name of this feature by ourselves (on agency level), or at least give an option to change the source name βTestimonialsβ to our agency name instead, which would make much more sense. Currently it is set to exactly βTestimonialsβ on all languages, even on widgets, which is not good, and will just cause confusion among clients and their customers.
Severi about 23 hours ago
General
π‘ Feature Request
Testimonials review source name
Please allow us to configure the name of this feature by ourselves (on agency level), or at least give an option to change the source name βTestimonialsβ to our agency name instead, which would make much more sense. Currently it is set to exactly βTestimonialsβ on all languages, even on widgets, which is not good, and will just cause confusion among clients and their customers.
Severi about 23 hours ago
General
π‘ Feature Request
Sales CRM tagging / stages not working
Leads dont seem to appear when filtering through the stages on the pipeline. https://www.loom.com/share/c68c6415c5054e3fa9637018cb76523c
Joshua 1 day ago
π Bug Reports
Sales CRM tagging / stages not working
Leads dont seem to appear when filtering through the stages on the pipeline. https://www.loom.com/share/c68c6415c5054e3fa9637018cb76523c
Joshua 1 day ago
π Bug Reports
Sales Intelligence CRM UPdate
Iβm trying to use the sales intelligence to reach out to potential customers, but I find the user interface clunky, which is slowing down the process. I have a few suggestions on how this could be much more intuitive for the user in the video below. A few small tweaks could make a big difference! https://www.loom.com/share/f64fed8873694941ac86366a75072730
Joshua 1 day ago
General
π‘ Feature Request
Sales Intelligence CRM UPdate
Iβm trying to use the sales intelligence to reach out to potential customers, but I find the user interface clunky, which is slowing down the process. I have a few suggestions on how this could be much more intuitive for the user in the video below. A few small tweaks could make a big difference! https://www.loom.com/share/f64fed8873694941ac86366a75072730
Joshua 1 day ago
General
π‘ Feature Request
intel-request: Enter key submits form when using Chinese IME β issue still exists
When using a Chinese IME, pressing Enter to confirm character selection unexpectedly triggers form submission. Steps to reproduce: Open the form Focus on a text input field Switch input method to Chinese IME Type Chinese characters Press Enter to select a character Expected result: Pressing Enter should confirm the IME character selection and NOT submit the form. Actual result: The form is submitted immediately when Enter is pressed. Environment: OS: macOS Browser: Edge IME: Chinese IME (Traditional) https://roadmap.embedmyreviews.com/en/p/enter-key-submits-form-when-using-chinese-ime
Support Team 1 day ago
π Bug Reports
intel-request: Enter key submits form when using Chinese IME β issue still exists
When using a Chinese IME, pressing Enter to confirm character selection unexpectedly triggers form submission. Steps to reproduce: Open the form Focus on a text input field Switch input method to Chinese IME Type Chinese characters Press Enter to select a character Expected result: Pressing Enter should confirm the IME character selection and NOT submit the form. Actual result: The form is submitted immediately when Enter is pressed. Environment: OS: macOS Browser: Edge IME: Chinese IME (Traditional) https://roadmap.embedmyreviews.com/en/p/enter-key-submits-form-when-using-chinese-ime
Support Team 1 day ago
π Bug Reports
Custom MMS Image Editing With Tags For Each Customers Name
Hey Mannie, my request for the platform is to have the first name tag seen in the text message be able to be added to the image (the piece of paper in the text message). Iβm Pretty sure Go high level has this feature so I reckon this would be a great one to keep up with them and other competing reputation management platforms.
Spencer Ahenkan 2 days ago
General
π‘ Feature Request
Custom MMS Image Editing With Tags For Each Customers Name
Hey Mannie, my request for the platform is to have the first name tag seen in the text message be able to be added to the image (the piece of paper in the text message). Iβm Pretty sure Go high level has this feature so I reckon this would be a great one to keep up with them and other competing reputation management platforms.
Spencer Ahenkan 2 days ago
General
π‘ Feature Request
Competitor infos don't appear sometimes on GeoGrid
I noticed on some scans that the information for the first two competitors wasn't showing up. This happens in some positions, but not all of them https://app.getcoucou.io/scans/020f69c5-1c35-460e-9f00-27a7d2dcdb08/report?snapshot_at=2026-05-19%2012%3A41%3A38
Jean-Gabriel 3 days ago
π Bug Reports
Competitor infos don't appear sometimes on GeoGrid
I noticed on some scans that the information for the first two competitors wasn't showing up. This happens in some positions, but not all of them https://app.getcoucou.io/scans/020f69c5-1c35-460e-9f00-27a7d2dcdb08/report?snapshot_at=2026-05-19%2012%3A41%3A38
Jean-Gabriel 3 days ago
π Bug Reports
Detect Recently Removed Reviews Without Full-History Scans
Iβd like to share a possible approach for developing this feature in a way that does not significantly increase infrastructure costs. From what I can tell, detecting removed reviews would require full scans across the entire review history, because the only way to know whether a review was deleted is to check whether it is still published at the source. I understand that doing this frequently for all reviews, across all accounts, could become very expensive. However, it looks like there may already be a way to detect at least recently removed reviews without any additional full scans. My understanding is that the current sync process seems to fetch recent reviews, rather than re-scanning the full historical dataset every time. I cannot confirm the exact implementation, but I believe it may not only fetch reviews since the last sync, but rather reviews from βsome time backβ. The reason I say this is because I noticed that some reviews inside EMR were previously marked as responded, but now appear as not responded. After checking the source, I found that those reviews had actually been removed from Google Places / Google Maps. This is a very interesting signal. If a review was previously known by the platform, was previously marked as responded, and later the response is no longer detected during the normal recent-review sync, that may already be enough to infer that the review was likely removed / deleted, without requiring any extra full-history scan. So, at least for recently deleted reviews, this feature may already be technically feasible with little or no additional infrastructure cost. Of course, this method would not be 100% complete. Very old reviews deleted long after they stop appearing in the βrecent reviewsβ sync window would probably not be detected this way. But the key question is: Is it better to have a system that detects recently deleted reviews, even if it is not perfect, or to have no system at all? In my opinion, a partially complete but cost-efficient solution is much better than no solution. A possible implementation could be: Detect reviews that were previously known in the system but are no longer consistently present in the source during normal recent syncs Mark them with a status such as Removed / Deleted Use that status across the product Once that status exists, it would already unlock a lot of value: Filter reviews that were removed / deleted Exclude them from analytics and review counts Exclude them from the βpending responseβ filter Exclude them from review display widgets Improve accuracy across multiple parts of the platform There could also be an optional complementary layer to improve historical completeness, although this would involve additional infrastructure costs. For example: Add a button to scan the full review history for removed reviews Limit its use to once per month, if triggered manually Or run it automatically once per month, if deemed acceptable from an infrastructure-cost perspective This is not intended as an alternative to the low-cost method described above, but rather as an optional way to improve accuracy if the developer wants this feature to get closer to 100% historical reliability. In other words, the current sync behavior already seems capable of detecting recently removed reviews without requiring additional full-history scans. If considered technically and economically feasible, a monthly full-history scan could then act as a complementary verification layer for older deletions that would otherwise fall outside the recent-sync window. I fully understand that this additional full-history scan may not be desirable because of the extra cost, so I am not suggesting it as mandatory. That part should of course be evaluated by the developer. The main point of this feedback is that there already appears to be a low-cost path for detecting recently removed reviews, using signals that seem to be surfaced by the current sync behavior (Specific example with images shown below). If you want to upvote the actual feature request, please do so here: https://roadmap.embedmyreviews.com/en/p/dashboard-not-synced-when-a-review-is-deleted-on-google Now let me give a practical example of how the current system has already βcaughtβ the removed/deleted reviews: I have one client with around 100 Google Business Profile reviews, receiving roughly 5 to 7 new reviews per month. The client responds to all Google reviews. Inside EMR, if I go to the reviews section and apply the filters: Source = Google Response Status = Pending The reviews that appear there are, in practice, the reviews that were removed / deleted, because all Google reviews are actually responded to. Below Iβm including: the link to that clientβs Google Business Profile a screenshot of the reviews shown as βnot respondedβ inside EMR In that screenshot, those βpendingβ reviews are basically the reviews that were deleted / removed, except for the last 3 reviews from C.M., Gabriel RodrΓguez, and Elizabete Nogueira, which are genuinely still present in the GBP and are in fact not responded to. That seems to indicate that the current sync logic is already capable of surfacing the absence of previously known review-response data. If so, then it may also be possible to infer that the review itself no longer exists at the source. There may be some technical detail I am missing, but at first glance this seems feasible. Link to this customer GBP: https://maps.app.goo.gl/8m55LxyiBH2ryP2U8 (Order the reviews by most recent after clicking the link) Image within EMR displaying all the reviews that were deleted or removed:
Leandro Teixeira 4 days ago
General
π₯ Feedback
Detect Recently Removed Reviews Without Full-History Scans
Iβd like to share a possible approach for developing this feature in a way that does not significantly increase infrastructure costs. From what I can tell, detecting removed reviews would require full scans across the entire review history, because the only way to know whether a review was deleted is to check whether it is still published at the source. I understand that doing this frequently for all reviews, across all accounts, could become very expensive. However, it looks like there may already be a way to detect at least recently removed reviews without any additional full scans. My understanding is that the current sync process seems to fetch recent reviews, rather than re-scanning the full historical dataset every time. I cannot confirm the exact implementation, but I believe it may not only fetch reviews since the last sync, but rather reviews from βsome time backβ. The reason I say this is because I noticed that some reviews inside EMR were previously marked as responded, but now appear as not responded. After checking the source, I found that those reviews had actually been removed from Google Places / Google Maps. This is a very interesting signal. If a review was previously known by the platform, was previously marked as responded, and later the response is no longer detected during the normal recent-review sync, that may already be enough to infer that the review was likely removed / deleted, without requiring any extra full-history scan. So, at least for recently deleted reviews, this feature may already be technically feasible with little or no additional infrastructure cost. Of course, this method would not be 100% complete. Very old reviews deleted long after they stop appearing in the βrecent reviewsβ sync window would probably not be detected this way. But the key question is: Is it better to have a system that detects recently deleted reviews, even if it is not perfect, or to have no system at all? In my opinion, a partially complete but cost-efficient solution is much better than no solution. A possible implementation could be: Detect reviews that were previously known in the system but are no longer consistently present in the source during normal recent syncs Mark them with a status such as Removed / Deleted Use that status across the product Once that status exists, it would already unlock a lot of value: Filter reviews that were removed / deleted Exclude them from analytics and review counts Exclude them from the βpending responseβ filter Exclude them from review display widgets Improve accuracy across multiple parts of the platform There could also be an optional complementary layer to improve historical completeness, although this would involve additional infrastructure costs. For example: Add a button to scan the full review history for removed reviews Limit its use to once per month, if triggered manually Or run it automatically once per month, if deemed acceptable from an infrastructure-cost perspective This is not intended as an alternative to the low-cost method described above, but rather as an optional way to improve accuracy if the developer wants this feature to get closer to 100% historical reliability. In other words, the current sync behavior already seems capable of detecting recently removed reviews without requiring additional full-history scans. If considered technically and economically feasible, a monthly full-history scan could then act as a complementary verification layer for older deletions that would otherwise fall outside the recent-sync window. I fully understand that this additional full-history scan may not be desirable because of the extra cost, so I am not suggesting it as mandatory. That part should of course be evaluated by the developer. The main point of this feedback is that there already appears to be a low-cost path for detecting recently removed reviews, using signals that seem to be surfaced by the current sync behavior (Specific example with images shown below). If you want to upvote the actual feature request, please do so here: https://roadmap.embedmyreviews.com/en/p/dashboard-not-synced-when-a-review-is-deleted-on-google Now let me give a practical example of how the current system has already βcaughtβ the removed/deleted reviews: I have one client with around 100 Google Business Profile reviews, receiving roughly 5 to 7 new reviews per month. The client responds to all Google reviews. Inside EMR, if I go to the reviews section and apply the filters: Source = Google Response Status = Pending The reviews that appear there are, in practice, the reviews that were removed / deleted, because all Google reviews are actually responded to. Below Iβm including: the link to that clientβs Google Business Profile a screenshot of the reviews shown as βnot respondedβ inside EMR In that screenshot, those βpendingβ reviews are basically the reviews that were deleted / removed, except for the last 3 reviews from C.M., Gabriel RodrΓguez, and Elizabete Nogueira, which are genuinely still present in the GBP and are in fact not responded to. That seems to indicate that the current sync logic is already capable of surfacing the absence of previously known review-response data. If so, then it may also be possible to infer that the review itself no longer exists at the source. There may be some technical detail I am missing, but at first glance this seems feasible. Link to this customer GBP: https://maps.app.goo.gl/8m55LxyiBH2ryP2U8 (Order the reviews by most recent after clicking the link) Image within EMR displaying all the reviews that were deleted or removed:
Leandro Teixeira 4 days ago
General
π₯ Feedback
Auto-Detect Language
We mainly run the ORM business in the Traditional Chinese market. However, once in a while, prospects from overseas find us on Google, and they bounce away when the platform appears in a foreign language. Iβd like to suggest the capability to auto-detect the browser language that the EMR dashboard will be showing, without forcing agencies to hard-define a default language. Thank you for your consideration.
Kevin Huang 5 days ago
π‘ Feature Request
Auto-Detect Language
We mainly run the ORM business in the Traditional Chinese market. However, once in a while, prospects from overseas find us on Google, and they bounce away when the platform appears in a foreign language. Iβd like to suggest the capability to auto-detect the browser language that the EMR dashboard will be showing, without forcing agencies to hard-define a default language. Thank you for your consideration.
Kevin Huang 5 days ago
π‘ Feature Request
Disclaimer while turning on "Stop Negative Feedback"
Showing a clear Disclaimer when someone turns on βStop negative Feedbackβ in the feedback form. Something like: ββ οΈ Disclaimer: Certain review platforms (e.g., Google) prohibit review gating and may penalize profiles found in violation of their policies. By enabling this feature, you acknowledge that you have reviewed the applicable platform's terms of service and accept full responsibility for any consequences, including profile suspension or review removal. βAgency Nameβ provides this feature as a tool and bears no liability for any action taken against your business by third-party platforms.β and it turns on only after they click βI understandβ button on the disclaimer pop-up. Why it make sense instead of disabling it completely? We donβt offer Google only and have 60+ other platforms too, where users can implement it without any risk. We give the end user complete flexibility; if they still want to use it with Google they can use it at their own risk. Cause its still a better option than buying fake 5-star reviews to improve the rating. (In many regions where every business is buying fake reviews, Google is not strict enough to penalize them unless someone goes too extreme.) This Disclaimer will protect the agency legally from any claims afterwards and clearly warns users of the involved risks. Prevents any accidental βTurn Onβ by clients in blueprint setups, DIY, DWY, or even DFY setups. Other suggestions: When user creates a new form > Make βStop Negative Feedbackβ turn off by default.
Arun Saini 5 days ago
π‘ Feature Request
Disclaimer while turning on "Stop Negative Feedback"
Showing a clear Disclaimer when someone turns on βStop negative Feedbackβ in the feedback form. Something like: ββ οΈ Disclaimer: Certain review platforms (e.g., Google) prohibit review gating and may penalize profiles found in violation of their policies. By enabling this feature, you acknowledge that you have reviewed the applicable platform's terms of service and accept full responsibility for any consequences, including profile suspension or review removal. βAgency Nameβ provides this feature as a tool and bears no liability for any action taken against your business by third-party platforms.β and it turns on only after they click βI understandβ button on the disclaimer pop-up. Why it make sense instead of disabling it completely? We donβt offer Google only and have 60+ other platforms too, where users can implement it without any risk. We give the end user complete flexibility; if they still want to use it with Google they can use it at their own risk. Cause its still a better option than buying fake 5-star reviews to improve the rating. (In many regions where every business is buying fake reviews, Google is not strict enough to penalize them unless someone goes too extreme.) This Disclaimer will protect the agency legally from any claims afterwards and clearly warns users of the involved risks. Prevents any accidental βTurn Onβ by clients in blueprint setups, DIY, DWY, or even DFY setups. Other suggestions: When user creates a new form > Make βStop Negative Feedbackβ turn off by default.
Arun Saini 5 days ago
π‘ Feature Request
AI hub token is now showing properly
In API & Webhooks > AI hub; When we click "Create Connectionβ button the token/code is not visible properly, it will be shown as a flash and auto close the popup window. So, we canβt copy & use it.
Arun Saini 6 days ago
π Bug Reports
AI hub token is now showing properly
In API & Webhooks > AI hub; When we click "Create Connectionβ button the token/code is not visible properly, it will be shown as a flash and auto close the popup window. So, we canβt copy & use it.
Arun Saini 6 days ago
π Bug Reports
Private Feedback Form Changes
πππ₯π¦π§ Can we rename Stop Negative Feedback to "Show Private Feedback" or similar? π¦πππ’π‘π Could we have the Private Feedback form allowed to be triggered/shown for any rating? A potential review flow I am looking to create would be (still planning): QR Scan / NFC Tap / Link Click How would you rate us? page Show Private Feedback Form - still show link to skip form and go direct to review Feedback Thank you page with custom messaging combined with the Current Review Sites Page with option to leave a review I would like every customer no matter the review rating to get offered the chance to leave direct feedback and then the opportunity to leave a review direct on site removing the gatekeeping function of the Stop Negative Feedback but adding an option for customers to leave direct feedback. π§πππ₯π Can we have additional fields available on the form to be added. I would like a checkbox field initially for a "I would like to be contacted about my feedback" confirmation checkbox Or if not - could we have a field that would accept a html embed so i can embed my own form created elsewhere?
Daniel Fawcett 6 days ago
General
π₯ Feedback
Private Feedback Form Changes
πππ₯π¦π§ Can we rename Stop Negative Feedback to "Show Private Feedback" or similar? π¦πππ’π‘π Could we have the Private Feedback form allowed to be triggered/shown for any rating? A potential review flow I am looking to create would be (still planning): QR Scan / NFC Tap / Link Click How would you rate us? page Show Private Feedback Form - still show link to skip form and go direct to review Feedback Thank you page with custom messaging combined with the Current Review Sites Page with option to leave a review I would like every customer no matter the review rating to get offered the chance to leave direct feedback and then the opportunity to leave a review direct on site removing the gatekeeping function of the Stop Negative Feedback but adding an option for customers to leave direct feedback. π§πππ₯π Can we have additional fields available on the form to be added. I would like a checkbox field initially for a "I would like to be contacted about my feedback" confirmation checkbox Or if not - could we have a field that would accept a html embed so i can embed my own form created elsewhere?
Daniel Fawcett 6 days ago
General
π₯ Feedback
Feature Request: Unified Multi-Location Dashboard
It would be extremely helpful to have a consolidated dashboard that shows analytics, reviews, ratings, and performance across all business locations in one view. Currently, users need to switch between locations individually, which becomes time-consuming for businesses managing multiple branches. An βAll Locationsβ dashboard with combined insights and the ability to drill down into individual locations would provide much better visibility and reporting for business owners and managers.
Dinesh Babu Thangavel 8 days ago
π‘ Feature Request
Feature Request: Unified Multi-Location Dashboard
It would be extremely helpful to have a consolidated dashboard that shows analytics, reviews, ratings, and performance across all business locations in one view. Currently, users need to switch between locations individually, which becomes time-consuming for businesses managing multiple branches. An βAll Locationsβ dashboard with combined insights and the ability to drill down into individual locations would provide much better visibility and reporting for business owners and managers.
Dinesh Babu Thangavel 8 days ago
π‘ Feature Request
Acknowledgement of edited Google reviews
When a diner edits a review from a while ago, Google sends a notification as a new review, reminding the GBP owner to reply. However, it is not showing in EMR. Especially when itβs a negative review turning into a positive, the owner wants to reply to thank the customer. The owner is not notified in EMR. Thanks for your consideration.
Kevin Huang 9 days ago
π‘ Feature Request
Acknowledgement of edited Google reviews
When a diner edits a review from a while ago, Google sends a notification as a new review, reminding the GBP owner to reply. However, it is not showing in EMR. Especially when itβs a negative review turning into a positive, the owner wants to reply to thank the customer. The owner is not notified in EMR. Thanks for your consideration.
Kevin Huang 9 days ago
π‘ Feature Request
EXIF GPS Data Image Editor
Google scans the image Exif info for GPS Data to make sure the image is local related. It would be great if the customer could change the GPS data if the image was not taken right at the Google Maps location. Maybe we could offer a tool like this as addon. https://tool.geoimgr.com/ I assume the google map api already can pull the Lat. an Lo. data? So when our customers manage their GBP account via EMR, this could be a nice feature?
Ma Gie 10 days ago
API
π‘ Feature Request
EXIF GPS Data Image Editor
Google scans the image Exif info for GPS Data to make sure the image is local related. It would be great if the customer could change the GPS data if the image was not taken right at the Google Maps location. Maybe we could offer a tool like this as addon. https://tool.geoimgr.com/ I assume the google map api already can pull the Lat. an Lo. data? So when our customers manage their GBP account via EMR, this could be a nice feature?
Ma Gie 10 days ago
API
π‘ Feature Request
In Progress
Link in widget no working
A link embedded in a widget isn't working; I've already edited it, but it still doesn't work.
Tom Lemmens 10 days ago
General
π Bug Reports
In Progress
Link in widget no working
A link embedded in a widget isn't working; I've already edited it, but it still doesn't work.
Tom Lemmens 10 days ago
General
π Bug Reports
Enforce Minimum Password Strength Requirements
EMR currently accepts any password without enforcing strength requirements. I was able to create a client team member account using a very weak password - abcdef01 - 6 letters + 2 digits, which registered as "Weak" on the Bitwarden password strength meter - https://bitwarden.com/password-strength/ EMR should enforce a baseline level of password strength across all user account types as this is now standard security practice everywhere with password strength meters now the norm and commonplace. Current Behaviour Any password is accepted at account creation, regardless of length or complexity. No feedback is given to the user about password strength. No restrictions on commonly used or breached passwords. Minimum Expected Behaviour At minimum, passwords should be validated against a baseline policy before being accepted. A reasonable starting point aligned with current NIST SP 800-63B guidelines would be the below: Required Minimum length of 12 characters (NIST recommends 8 as minimum, 12+ is now considered best practice minimum). Reject passwords found in known breach lists (e.g. via the Have I Been Pwned "Pwned Passwords" API). Reject obvious weak patterns (e.g. password123, abcdef01, sequential or repeated characters). Recommended Display a real-time strength meter during password creation to guide users. Allow long pass phrases, spaces, with the full ASCII/Unicode character set. Do not force complexity rules as current guidance has moved away from these as they tend to produce predictable patterns (Password1!) without meaningfully improving strength. Do not force rotation unless there's evidence of compromise. This should apply consistently to all account types: Agency users Client users Team members Any admin or service accounts Considerations Existing accounts: We should decide whether to a) force a password reset on next login for accounts that don't meet the new policy or b) prompt users to update at next login with a grace period. MFA: Strong passwords are only one layer. We should also have the option to force 2FA on user accounts too. This is an βoptionalβ requirement as I know not many people are comfortable with 2FA but it is getting more widespread and Authenticator app is really easy to use. As I say - optional toggle perhaps. Passkeys: Another future option, passkeys are the future, easy, saved to password managers, iCloud keychain, Google Auth etc and are more and more widely used and can negate the whole password thing entirely. Optional and perhaps future implementation. Rate limiting & lockout: Ensure login endpoints are rate-limited to prevent brute-force attempts against any account. Need to decide on lock out time, 15-30 is usually the norm after 5 failed attempts or we then just rest password after these attempts. Storage: Confirm passwords are hashed with a modern algorithm not just SHA/MD5. Why This Matters Weak passwords are still one of the most common causes of account compromise. Given the platform handles agency and client data, a low-effort policy change here meaningfully reduces the risk of credential stuffing and brute-force attacks, and brings us in line with baseline industry standards.
Daniel Fawcett 11 days ago
π‘ Feature Request
Enforce Minimum Password Strength Requirements
EMR currently accepts any password without enforcing strength requirements. I was able to create a client team member account using a very weak password - abcdef01 - 6 letters + 2 digits, which registered as "Weak" on the Bitwarden password strength meter - https://bitwarden.com/password-strength/ EMR should enforce a baseline level of password strength across all user account types as this is now standard security practice everywhere with password strength meters now the norm and commonplace. Current Behaviour Any password is accepted at account creation, regardless of length or complexity. No feedback is given to the user about password strength. No restrictions on commonly used or breached passwords. Minimum Expected Behaviour At minimum, passwords should be validated against a baseline policy before being accepted. A reasonable starting point aligned with current NIST SP 800-63B guidelines would be the below: Required Minimum length of 12 characters (NIST recommends 8 as minimum, 12+ is now considered best practice minimum). Reject passwords found in known breach lists (e.g. via the Have I Been Pwned "Pwned Passwords" API). Reject obvious weak patterns (e.g. password123, abcdef01, sequential or repeated characters). Recommended Display a real-time strength meter during password creation to guide users. Allow long pass phrases, spaces, with the full ASCII/Unicode character set. Do not force complexity rules as current guidance has moved away from these as they tend to produce predictable patterns (Password1!) without meaningfully improving strength. Do not force rotation unless there's evidence of compromise. This should apply consistently to all account types: Agency users Client users Team members Any admin or service accounts Considerations Existing accounts: We should decide whether to a) force a password reset on next login for accounts that don't meet the new policy or b) prompt users to update at next login with a grace period. MFA: Strong passwords are only one layer. We should also have the option to force 2FA on user accounts too. This is an βoptionalβ requirement as I know not many people are comfortable with 2FA but it is getting more widespread and Authenticator app is really easy to use. As I say - optional toggle perhaps. Passkeys: Another future option, passkeys are the future, easy, saved to password managers, iCloud keychain, Google Auth etc and are more and more widely used and can negate the whole password thing entirely. Optional and perhaps future implementation. Rate limiting & lockout: Ensure login endpoints are rate-limited to prevent brute-force attempts against any account. Need to decide on lock out time, 15-30 is usually the norm after 5 failed attempts or we then just rest password after these attempts. Storage: Confirm passwords are hashed with a modern algorithm not just SHA/MD5. Why This Matters Weak passwords are still one of the most common causes of account compromise. Given the platform handles agency and client data, a low-effort policy change here meaningfully reduces the risk of credential stuffing and brute-force attacks, and brings us in line with baseline industry standards.
Daniel Fawcett 11 days ago
π‘ Feature Request
Customer specific custom sidebar links
To be able to provide easy access to customer specific links like Local Search Grid reports or other 3rd party dashboards. You would set these under the customer settings in Agency dashboard.
Severi 14 days ago
General
π‘ Feature Request
Customer specific custom sidebar links
To be able to provide easy access to customer specific links like Local Search Grid reports or other 3rd party dashboards. You would set these under the customer settings in Agency dashboard.
Severi 14 days ago
General
π‘ Feature Request