Passwords
Password recommendations have changed over the years. Recent studies show that password complexity doesn’t necessarily mean password security. According to Microsoft and the FBI, when you give people password requirements, they use predictable behavior to create passwords. Therefore, passwords created using password requirements are easier to crack.
With that said, our new password policy is very simple:
- Passwords must be between 8 and 64 characters in length.
- Passwords must contain only alpha-numeric characters, hyphens (-), and/or underscores (_).
That’s it!
We do recommend that you follow Microsoft’s guidelines for Users:
- Don’t use a password that is the same or similar to one you use on any other website.
- Don’t use a single word, for example, password, or a commonly-used phrase like Iloveyou.
- Make passwords hard to guess, even by those who know a lot about you; avoid the names and birthdays of your friends and family, your favorite bands, and phrases you like to use.
We agree with the FBI’s assertion that passphrases are harder to crack than short, complex passwords.

Therefore, we also encourage you to use a passphrase (use hyphens or underscores in the place of spaces) instead of a password. Click here for help generating a good passphrase.
In addition to our new password policy, we will also be banning common passwords. We will periodically update our list of banned passwords based on the growing list of common passwords.
Usernames
Our new username policy is almost exactly the same as our password policy. There are two exceptions—usernames are limited to 20 characters in length and spaces ( ) ARE allowed in usernames.
With that said, our new username policy is very simple:
• Usernames must be between 8 and 20 characters in length.
• Usernames must contain only alpha-numeric characters, spaces ( ), hyphens (-), and/or underscores (_).
In Closing….
We do not require that you update your existing password or username at this time, but when you do, you will have to follow the new, simple guidelines.
For passwords: 8 to 64 characters in length, and only use alpha-numeric characters, hyphens, and/or underscores.
For usernames: 8 to 20 characters in length, and only use alpha-numeric characters, spaces, hyphens, and/or underscores.
If you also allowed space characters, then people could choose a phrase as their password rather than a single word. A well chosen password phrase is infinitely more difficult to crack than single words.
Thanks for the comment, Gareth! We added spaces for usernames so that people could use proper names if they wish. We chose only hyphens and underscores for passphrases as many articles pointed out quite simply that most people are not used to being able to use spaces in passwords and therefore would not use them. However, we will take your comment in to consideration!