Enable’s password strength rules are as follows:
- A password must be at least 10 characters long;
- Your password must not be your email address;
- The password must not be on a large list of common passwords or blacklisted passwords - for example, PASSWORD1234 and 1234567812345678 are not allowed;
- The password must be distinct from some client related names, such as 'Enable'.
- The password must not have appeared in a data breach - see the 'Breached passwords' section for more information.
In addition, other measures are in place to prevent passwords being breached or guessed. These include:
- Multi-factor authentication, adding a second layer of protection to your account;
- Temporarily locking a user's account after 5 consecutive invalid password attempts;
- Hashing and salting passwords in line with current best practices;
- Encrypting data whilst at rest and in transit;
- Carrying out regular internal and external penetration testing.
There is no maximum password length, and there are no requirements to have uppercase, lowercase, numeric or special characters. Passwords do not expire, and there is no restriction on using a previously used password.
Our belief is that the primary measure of a password's strength is its length. The higher-than-average minimum password length, along with the 5-attempt lockout and the common/breached password restrictions, effectively nullify any brute-force breach attempts without requiring mixtures of different character types.
Our password policy is in line with the United States National Institute for Standards and Technology's and the UK National Cyber Security Centre's password strength guidelines.
Breached passwords
In addition to the other measures, we use a service called 'haveibeenpwned', which allows us to check if a password has previously been exposed in a data breach. It is a good security practice to not use previously exposed passwords, as they may be easily guessed, or a malicious web user may already have a list of breached passwords. For this reason, Enable does not allow passwords which have been exposed in a data breach.
Please be assured that there is no indication that any Enable passwords have been exposed in a data breach.