1. Prowise - Customer Service
  2. Prowise Account
  3. Signing in

Password Rules at Prowise

Prowise enforces strict password rules to ensure user security while maintaining usability. We implement a multi-layered validation system that checks password strength, exposure in known breaches, and compliance with essential security guidelines. This document outlines these rules and the rationale behind them.

Password Requirements

When setting or changing a password in Prowise, it must meet the following criteria:

A. Basic Complexity Requirements

  • Minimum 8 characters in length.

  • Must contain at least three of the following character types:

    • Lowercase letters (a-z)

    • Uppercase letters (A-Z)

    • Numbers (0-9)

    • Special characters (!@#$%^&*...)

  • We strongly recommend using a passphrase, as these are both more secure and easier to remember.

B. Strength Check: Zxcvbn Evaluation

To prevent weak passwords, Prowise uses the Zxcvbn password strength estimator. This evaluates how easily a password can be guessed:

  • A password must receive a minimum score of 2 out of 4 to be accepted.

  • If the score is 0 or 1, it is considered unsafe and will be rejected.

Why We Use Zxcvbn?

Traditional complexity rules (e.g., requiring numbers and uppercase letters) often lead to predictable password patterns. Zxcvbn instead evaluates real-world strength by analyzing:

  • Common words and phrases

  • Keyboard patterns (e.g., “qwerty123”)

  • Reused sequences

  • Contextual elements like names or dates

Example rejection:

  • Password: "Welkom01"

    • Score: 1 (Rejected)

    • Reason: This is a common password

    • Attack time (offline, fast hash): Less than a second

C. Leak Check: Have I Been Pwned Integration

To prevent users from using passwords exposed in previous data breaches, Prowise integrates with Have I Been Pwned (HIBP):

  • When setting a password, it is checked securely and anonymously against a database of compromised credentials.

  • If the password appears in known breaches, users receive an error: "This password has been found in leaks."

  • The user must choose a completely new password.

Why We Check for Leaked Passwords?

Passwords that have been exposed in breaches are often used in credential stuffing attacks. Even a seemingly strong password like "P@ssword123" may be unsafe if it has been leaked before.

D. Alignment with NIST Guidelines

Prowise follows the National Institute of Standards and Technology (NIST) Special Publication 800-63B password guidelines:

  • No mandatory periodic password changes: Frequent password resets lead to weaker choices.

  • Allow long passphrases: Users can create longer, more memorable passwords instead of complex but hard-to-remember ones.

  • Check passwords against breach databases: Prevents the use of compromised passwords.

  • No arbitrary complexity requirements: Instead of requiring symbols or numbers, passwords should be evaluated for real-world security.

E. Security Considerations and Safe Practices

  • Never reuse passwords across different services.

  • Use a password manager to generate and store strong passwords securely.

  • Avoid predictable modifications (e.g., "Password1!" or "Summer2024!").

  • Enable multi-factor authentication (MFA) for an added layer of security.

Error Messages and Troubleshooting

If your password is rejected, check the following:

  • "Password is unsafe" → It scored too low in Zxcvbn; try using a longer passphrase with uncommon words.

  • "This password has been found in leaks" → Choose an entirely different password.

  • "Password does not meet requirements" → Ensure it contains three of the required character types and is at least 8 characters long.

For further security guidance, see How to Recover an Account or contact Prowise Support.