We have recently deployed a couple of changes to improve the password security of the Forge website.
First, we now require all passwords to meet or exceed a certain level of complexity, as defined by the
zxcvbn algorithm. We do not have specific rules about characters used, capitalization patterns, etc. but the algorithm takes a variety of factors into account when determining password complexity and will even provide suggestions as to how you can improve a password judged to be not complex enough. You can read more about the
zxcvbn algorithm in this blog post by Dropbox.
For passwords that meet our complexity requirements, we now additionally check them against a database of passwords previously exposed in data breaches from other websites or services. It is already a best practice to create a unique password for each website or service where you have an account but this change ensures users don't re-use a password that is at much greater risk of being guessed by a malicious actor. To learn more, visit haveibeenpwned.com.
These new checks and requirements apply to all newly created user accounts as well as existing users who choose to update their password. At this time we are not requiring existing users to update their passwords but may require that in the future.