When you create a PageCrawl.io account or change your password, we sometimes ask you to pick a different one. This page explains why that happens and how to choose a password that will be accepted.
What we check
Our password rules follow NIST SP 800-63B, the digital identity guideline published by the US National Institute of Standards and Technology. In line with that guideline, a password only needs to meet two conditions:
- It must be at least 8 characters long. Spaces are fine, and you can use a whole sentence if you like.
- It must not appear on public lists of commonly used passwords.
That is all. The same guideline advises against requiring uppercase letters, numbers, or special characters, because length protects an account far better than forced symbols. We would rather you pick a longer password you can actually remember.
Why some passwords are declined
Over the years, many websites around the world have had security incidents, and large lists of the passwords used there now circulate publicly. Attackers try those lists first whenever they attempt to break into accounts. If a password appears on those lists, it can be guessed in seconds, no matter how personal it feels.
When we decline a password for this reason, it simply means many other people have used the same password before and it is now publicly known.
Does this mean my account was hacked?
No. Nothing has happened to your PageCrawl.io account or your data. The check looks at the password itself, not at you. It only tells us that the same combination of characters appears on public lists. PageCrawl.io has not been breached, and no one is targeting your account. Declining the password is purely a precaution, so that your account never depends on a password attackers already know.
How the check works
Your password is never shared with anyone. The check uses only the first few characters of a scrambled fingerprint of your password (called a hash) and compares that tiny fragment against Have I Been Pwned, a well known public safety database used by many major online services. It is impossible to reconstruct your password from the fragment used in the lookup.
How to pick a strong password
- Longer is stronger. A short sentence such as "my dog naps on the blue sofa" is easy to remember and very hard to guess.
- Avoid single common words, names, and simple patterns like "12345678".
- Use a different password for every website. A password manager makes this effortless and can generate and remember passwords for you.
If your password was declined, try a longer and more personal phrase. And if you have used the declined password on other websites, changing it there as well is a good idea.
