At Operations1, the security of your data is our top priority. We are continuously committed to ensuring state-of-the-art security standards in our products and providing you with a secure and protected environment. An important building block to achieve this goal is the introduction of a uniform policy for secure passwords that helps you optimally protect user accounts.

A password for Operations1 must have a minimum score of 3, must be at least 8 characters long, and must not have been made public in already public data leaks. The user receives visual feedback on the security score and possible problems with the chosen password.

Our policy for secure passwords is based on proven security practices and recommendations from industry experts. In particular, we follow the "Digital Identity Guidelines" from the National Institute of Standards and Technology (NIST) of the US Department of Commerce and the recommendations of the Open Web Application Security Project (OWASP). By implementing a modern password policy in our product, we ensure that our customers benefit from a solid and reliable security structure and potential risks from unauthorized access are minimized.

Operations1 uses zxcvbn, a powerful open-source library, to implement our password policies. The concept of zxcvbn is based on an intelligent password strength algorithm that evaluates the security of passwords and helps users create strong and easy-to-remember passwords.

The library analyses the complexity and predictability of passwords by taking into account various factors such as dictionary attacks, common password patterns, and keyboard sequences. Based on this analysis, zxcvbn assigns passwords a strength score and provides recommendations on how they can be improved.

By integrating zxcvbn into our password policy, we enable our users to create strong passwords that are both secure and easy to remember.

Please note that zxcvbn is continuously being developed as an open-source library, and we use the latest versions to provide the best possible support for our password policy.

Operations1 uses the "pwned passwords" API from Troy Hunt, a renowned security researcher, to check if a password appears in publicly known data breaches. This function is integrated into zxcvbn and is done using the k-Anonymity model, which ensures the privacy of the user.

When using this model, the password to be checked is first hashed, which means it is converted into a unique string. Then the first five characters of this hash, not the entire password, are transmitted to the pwned passwords API.

The pwned passwords API then checks if anonymized hashes with the same first five characters are present in their database and sends them back to Operations1. Our software then checks if the hash of the chosen password is contained in this response. If this is the case, it means that the password has been made public in a data breach. Such a password is considered not secure.

This approach ensures the security and protection of our users' passwords without disclosing sensitive information or compromising privacy.

Please note that this is a simplified description of the k-Anonymity model to make it understandable to a wider audience.