There are several checks allowed by FormLink to ensure passwords can't be guessed. Rate limiting is enabled for all FormLink accounts and cannot be disabled. After 5 invalid login attempts, an account is locked for 30 minutes. Besides rate limiting, optional requirements for passwords include:
- Minimum length: The default minimum password length is 6 characters. When Accounts enable password requirements, they have the ability to raise this minimum. The default for strong passwords is 8 but is configurable to any length.
- Character requirements: When strong passwords are required, a minimum of one of each below character type is required
- Uppercase letter (A, B, C)
- Lowercase letter (a, b, c)
- Number (1, 2, 3)
- Special Symbol (!, @, $)
- Common Patterns: The following patterns are disallowed from strong passwords:
- Repeating numbers, letters, or symbols (111, $$$, aaa, AaA)
- Adjacent numbers or letters (123, abc, 987, zYx)
- Consecutive keyboard letters (qwerty, zxcv, jkl;)
- Years (1987, 2015)
- Dictionary Words: This is an optional setting that can be turned on or off for strong passwords. If enabled, words found in the dictionary (containing 4 or more letters) are prohibited. For example: "Baseball257!" would pass the above requirements (assuming minimum length is 8 characters), but fail if this setting is enabled as well.