This article describes Beacon's password policy (the things we enforce) and our recommendations (what you should do and encourage your team to do).
First of all, we strongly recommend that you set up two factor authentication. Two factor authentication is one of the best ways to keep your account and data secure. Even if someone guesses your Beacon password, they won't be able to access your account or view any supporter data.
Beacon's password policy
Beacon's password policy is influenced by the policy proposed by OWASP. We have struck a balance between flexibility, user experience, and security that we think works best for Beacon users. Once again, it's important that we have implemented this policy while strongly recommending that users set up two factor authentication.
When you create your Beacon account or change your password you'll find that there are a few restrictions on your choice of password:
Your password must be over 10 characters in length
Your password must not contain more than 2 repeated characters (e.g. 'a59mk0FFFF' is not valid)
Your password must not appear on our list of the top 1 million most common passwords* (e.g. 'qwertyuiop' is not valid)*
* We use the list of leaked passwords curated by SecList.
Our password input interfaces will tell you if your password fails any of these checks.
Beacon's password recommendations
Our recommendations are as follows:
Make your passwords long - Phrases should be encouraged rather than words
Use a password manager. At Beacon we use 1Password.
Set up two factor authentication.
Tip: If you need to change your password, view our guide here.
How should you choose your password and encourage your team to choose theirs? As with most questions in life, the answer comes from the webcomic XKCD: