What are Clockwork's new password requirements?
What is zxcvbn?
zxcvbn is a password strength estimator that uses pattern matching and estimation to determine whether/how long a system would take to “crack” your password and hack into your account based on the password you’ve chosen.
zxcvbn pulls from a database of 30k common passwords, common names and surnames (taken from US census data), popular English words (from Wikipedia), popular television and movies (from Hollywood), and other common patterns like dates, repeats (ccc), sequences (xyz), keyboard patterns (qwerty), and l33t speak (predictably replacing c3rt@in letters with certain $ymb0ls). Using this information, zxcvbn is then able to determine how strong your password is based on how unpredictable it is in relation to its database of common password knowledge.
Why is Clockwork implementing zxcvbn?
Long story short: because we want to keep your data safe!
Clockwork is in the midst of establishing MFA (Multi-Factor Authentication) for user logins, and zxcvbn assists by enhancing the safety and security of your account.
We’ve chosen znxcvbn specifically because it is:
- More flexible: scanning only for password complexity, znxcvbn doesn’t require the arbitrary additions of symbols and numbers, as long as your password choice is unusual and unpredictable enough as is.
- More secure: most other password generation policies erroneously allow weak passwords (P@ssword1) and disallow strong passwords (bEthAnymIlkscOws) because their password rules encourage predictable replacements (think ! for i, @ for a, 0 for o) instead of prompting users to choose more creatively.
- More usable: based on the password you enter, zxcvbn will give you instant feedback on how strong it has determined the password to be (with a score from 0-4), and provide you with suggestions on how to make your password stronger; Clockwork will only approve passwords with a score of 3 or higher.
The results? See for yourself:
How do I select a strong password?
Here are some tips and tricks to understanding how znxcvbn works, and how to select the most secure password based on its estimations:
- Create a password that is at least 10 characters long. Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.
- Be unpredictable with your use of:
- Capital letters (e.g. capiTAl lettErs instead of Capital Letters)
- Symbols and numbers (e.g.bob&&eatsfish@ instead of b0be@tsf!sh)
- Word choices and sentence strings (e.g. veronapartyjokes instead of seedogrun)
- Follow the targeted feedback from Clockwork that will guide you towards less guessable passwords.
- Use this fun website that checks the strength of your intended password and tells you how long it would take to hack!
- Use l33t speak (ie. predictably replacing c3rt@in letters with certain $ymb0ls).
- Use repeated or consecutive numbers or letters, like so: