Clockwork Password Requirements
Here at Clockwork, we take security very seriously. We have implemented a password strength checker to help you protect your own account with a strong password.
No, that is not a typo.
zxcvbn is a password strength estimator that uses pattern matching and estimation to determine whether or how long a system would take to crack your password and hack into your account based on the password you enter.
zxcvbn pulls from a database of 30,000 common passwords, common names, and surnames taken from US census data, popular English words based on Wikipedia, popular television and movies from Hollywood, and other common patterns like dates, repeats (ccc), sequences (xyz), keyboard patterns (qwerty), and l33t speak (predictably replacing c3rt@in letters with certain $ymb0ls).
Using this information, zxcvbn is then able to determine how strong your password is based on how unpredictable it is in relation to its database of common password knowledge.
Why Clockwork is Implementing zxcvbn
Long story short: because we want to keep your data safe!
Clockwork has implemented an (optional) MFA or Multi-Factor Authentication for user logins, and zxcvbn assists by enhancing the safety and security of your account.
We’ve chosen znxcvbn specifically because it is:
- More flexible: scanning only for password complexity, znxcvbn doesn’t require the arbitrary additions of symbols and numbers, as long as your password choice is unusual and unpredictable enough as is.
- More secure: most other password generation policies erroneously allow weak passwords (such as P@ssword1) and disallow strong passwords (such as bEthAnymIlkscOws) because their password rules encourage predictable replacements (think ! for i, @ for a, 0 for o) instead of prompting users to choose more creatively.
- More usable: based on the password you enter, zxcvbn will give you instant feedback on how strong it has determined the password to be with a score from 0-4, and provide you with suggestions on how to make your password stronger. Our system will only approve passwords with a score of 3 or higher.
The results? See for yourself:
Selecting a Strong Password
Here are some tips and tricks to understanding how znxcvbn works, and how to select the most secure password based on its estimations:
- Create a password that is at least ten characters long. Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.
- Be unpredictable with your use of:
- Capital letters (e.g. capiTAl lettErs instead of Capital Letters)
- Symbols and numbers (e.g.bob&&eatsfish@ instead of b0be@tsf!sh)
- Word choices and sentence strings (e.g. veronapartyjokes instead of seedogrun)
- Follow the targeted feedback from Clockwork that will guide you towards less guessable passwords.
- Use this fun website that checks the strength of your intended password and tells you how long it would take to hack!
- Use l33t speak (ie. predictably replacing c3rt@in letters with certain $ymb0ls).
- Use repeated or consecutive numbers or letters, like so: