Password-Protected Webpages Usage Guide

What is a Password-Protected Webpage?

In Drupal Cloud, a password-protected webpage requires a Brown Single Sign-on username and password to access its content.

Purpose

Password protection in Drupal Cloud is designed for select cases when a webpage’s content meets certain criteria.

The password protection feature in Drupal Cloud is designed to secure webpages only and does not extend to linked files or documents (e.g., PDFs, Word documents). To control access to these files, consider using the native sharing and protection settings available in Google Drive.

Eligibility Criteria for Using Password Protection

Content is eligible for password protection only when it meets the following requirements:

The content must be directly relevant to the website’s purpose and its intended audience.
The content must have a legitimate requirement to be hosted in Drupal Cloud (e.g., to provide functionality available only in Drupal Cloud or because it must reside on an official Brown University website).
The content must have a data risk classification of level one or below according to OIT's standards.
The content must also satisfy at least one of the following conditions:
- A clear and direct legal or compliance requirement necessitates its protection.
- Public access would place the University at a distinct competitive disadvantage.
- Public disclosure would pose a significant reputational risk to the University.

Drupal Cloud password protection is not intended for:

Storing or protecting sensitive data (e.g., confidential records, payment information).
- Data classified as Level two and Level three according to OIT standards cannot be stored in Drupal Cloud, even when password protected.
Complex access control needs (e.g., restricting some users but not others within Brown).
Stand-alone, password-protected content (e.g. an intranet).
Restricting access to files or hosting content that can be managed using Google Drive permissions.

Who Can Access a Password-Protected Page

Visitors attempting to access a Drupal Cloud password-protected page must authenticate using their Brown University username and password. Access is granted to all individuals with active Brown credentials, including students, faculty, staff, and individuals with sponsored IDs.

Carefully Consider the Limitations of Password Protection

Because thousands of people have Brown IDs, password-protected content should be treated as potentially public. Content can become public through screenshots, copy-pasting, data exports, or other means. When considering password-protected content, think carefully about the implications if it were to become public. Remember that password protection cannot guarantee privacy when sharing with very large groups.

How to Request a Password-Protected Page

Making a page password-protected requires assistance from the Office of University Communications (OUC) Web and Digital team.

To request a password-protected page, email web@brown.edu. Please include the URL(s) of the pages you want to protect and explain your rationale for requesting protection.

Pitfalls to Avoid

Avoid using password protection for content that needs to be discoverable through search. Password-protected pages are not indexed by search engines and cannot be found via search.
Don’t treat password-protected pages like an intranet. The password protection functionality was designed to secure individual pages, not to create a full intranet.
Avoid “surprising” users with the login screen. When linking to a password-protected page from another page on your site, you should generally indicate that the page will require a login, so users are prepared for the authentication prompt.
Don’t assume password protection ensures content will remain private. Password protection cannot guarantee privacy when sharing with very large groups. Content can become public through screenshots, copy-pasting, data exports, or other means.