Password recommendations have changed over the years. Recent studies show that password complexity doesn’t necessarily mean password security. According to Microsoft and the FBI, when you give people password requirements, they use predictable behavior to create passwords. Therefore, passwords created using password requirements are easier to crack.
With that said, our new password policy is very simple:
- Passwords must be between 8 and 64 characters in length.
- Passwords must contain only alpha-numeric characters, hyphens (-), and/or underscores (_).
We do recommend that you follow Microsoft’s guidelines for Users:
- Don’t use a password that is the same or similar to one you use on any other website.
- Don’t use a single word, for example, password, or a commonly-used phrase like Iloveyou.
- Make passwords hard to guess, even by those who know a lot about you; avoid the names and birthdays of your friends and family, your favorite bands, and phrases you like to use.
We agree with the FBI’s assertion that passphrases are harder to crack than short, complex passwords.
Therefore, we also encourage you to use a passphrase (use hyphens or underscores in the place of spaces) instead of a password. Click here for help generating a good passphrase.
In addition to our new password policy, we will also be banning common passwords. We will periodically update our list of banned passwords based on the growing list of common passwords.
Our new username policy is almost exactly the same as our password policy. There are two exceptions—usernames are limited to 20 characters in length and spaces ( ) ARE allowed in usernames.
With that said, our new username policy is very simple:
• Usernames must be between 8 and 20 characters in length.
• Usernames must contain only alpha-numeric characters, spaces ( ), hyphens (-), and/or underscores (_).
We do not require that you update your existing password or username at this time, but when you do, you will have to follow the new, simple guidelines.
For passwords: 8 to 64 characters in length, and only use alpha-numeric characters, hyphens, and/or underscores.
For usernames: 8 to 20 characters in length, and only use alpha-numeric characters, spaces, hyphens, and/or underscores.