This article describes Beacon's password policy (what we enforce) and our recommendations (what you should do and encourage your team to do).
First of all we strongly recommend that you set up two factor authentication. Two factor authentication is one of the best ways to keep your account and data secure. Even if someone guesses your Beacon password, they won't be able to access your account or view any supporter data.
link Beacon's password policy
Beacon's password policy is influenced by the policy proposed by OWASP. We have struck a balance between flexibility, user experience, and security that we think works best for Beacon users. Once again, it's important that we have implemented this policy while strongly recommending that users set up two factor authentication.
When you create your Beacon account or change your password you'll find that there are a few restrictions on your choice of password:
- Your password must be over 10 characters in length
- Your password must not contain more than 2 repeated characters (e.g. 'a59mk0FFFF' is not valid)
- Your password must not appear on our list of the top 1 million most common passwords (e.g. 'qwertyuiop' is not valid)*
Our password input interfaces will tell you if your password fails any of these checks.
* We use the list of leaked passwords curated by SecList.
link Beacon's password recommendations
Our recommendations are as follows:
- Make your passwords long - Phrases should be encouraged rather than words
- Use a password manager. At Beacon we use 1Password.
- Set up two factor authentication.
How should you choose your password and encourage your team to choose theirs? As with most questions in life the answer comes from the webcomic XKCD: