If inactive, disables all password-based authentication and related functions (such as resetting passwords).
The minimum length of all new passwords.
There are numerous ways to encourage users to use strong passwords over weak ones. One of the best is requiring a certain level of password complexity.
AuthRocket uses the zxcvbn algorithm which is excellent at encouraging all types of better passwords, while allowing users the freedom to choose exactly how they arrive at that better password. Adding numbers or symbols does result in stronger passwords, but so does just adding more lowercase letters. zxcvbn handles all of these scenarios quite well and is what we recommend.
While AuthRocket uses rate-limiting to prevent brute forcing passwords, if a password was somehow subjected to a brute force attack, here is roughly how long each strength setting would take to crack:
| Setting | Strength (per password) |
|---|---|
| High | Crackable in years |
| Medium | Crackable in days |
| Low | Crackable in hours |
| Insecure | Crackable in minutes |
Additionally, if you are using LoginRocket, a “Password is <strength>” type message will automatically be displayed when minimum complexity is enabled.
In lieu of the minimum complexity option above, you can choose to use an older-style “required character sets” approach, including requiring at least 1 lowercase letter, 1 uppercase letter, 1 number, and/or 1 special character.
Unless you have preexisting corporate policy that requires using character sets, we actually discourage this and suggest minimum complexity instead as it nearly always results in stronger, yet more memorable passwords (read: users are less likely to write them on a sticky note).
Questions? Find a Typo? Get in touch.