When and How to Password-Protect a Form

Not every form should be publicly accessible. Internal staff surveys, sensitive patient assessments, partner-only registration forms: these need a gate. Password protection adds one: visitors must enter the correct password before they can see or submit the form.

When Password Protection Makes Sense

• Internal surveys: Employee satisfaction, peer reviews, confidential feedback. You want responses only from your team, not from anyone who stumbles on the URL.
• Sensitive assessments: Mental health screenings, substance abuse intake, sexual health questionnaires. An extra access layer reinforces confidentiality.
• Exclusive registration: Invite-only events, private workshops, VIP programs. Share the password only with the intended audience.
• Staging and testing: Protect forms under development from public access. Remove the password when you're ready to go live.
• Partner or vendor forms: Data collection from specific external organizations. Each partner gets the password; the general public doesn't.

Setting It Up

1. Open your form's Settings tab
2. Find Access Control and toggle on Password Protection
3. Enter a password
4. Save

That's it. Anyone visiting the form URL now sees a password prompt before the form loads. No password, no access. The form content itself isn't visible until authentication succeeds.

Choosing a Good Password

This sounds obvious, but short or predictable passwords defeat the purpose. A few guidelines:

• At least 8 characters with a mix of letters, numbers, and symbols
• Don't reuse the same password across multiple forms
• Change passwords after personnel changes (a departing employee who knows the password is a former employee who knows the password)
• For high-sensitivity forms, rotate passwords periodically

Sharing Passwords Securely

How you distribute the password matters as much as the password itself:

• Share it through a different channel than the form link. Don't put the link and password in the same email.
• Use encrypted messaging when possible
• For in-person distribution, verbal communication works fine
• Avoid posting passwords in shared documents or Slack channels where access is broader than intended

What the Patient/User Sees

When someone visits a password-protected form, they see a clean password prompt. No form content is visible. They enter the password, and if it's correct, the form loads normally. If incorrect, they get an error message.

The password is required per session. Closing the browser and returning means entering the password again. Rate limiting prevents brute-force guessing attempts.

Password Protection vs. Other Access Controls

Password protection isn't the only way to restrict access. Consider alternatives depending on your use case:

• Magic-link emails: Send unique form links to specific patients. No password needed; the link itself is the access control. Better for individual patient intake.
• Form scheduling: Make forms available only during specific time windows. Good for time-based restrictions, but doesn't restrict who can access during that window.
• Team permissions: Control which staff members can view submissions. This restricts the admin side, not patient access.

You can combine these. A form that's password-protected, scheduled to a specific time window, and sends data through HMAC-verified webhooks covers access control, timing, and data integrity all at once.

A Note on HIPAA

Password protection is an access control layer, but it's not the whole compliance picture. Formisoft's underlying infrastructure handles the rest: AES-256 encryption at rest, TLS 1.3 in transit, US-hosted servers, audit logging, and BAA availability. Password protection adds to this foundation; it doesn't replace it.

Password protection is simple to enable and solves a clear problem: keeping forms private when they need to be private. If your form shouldn't be open to the world, add a password.