We use the zxcvbn algorithm developed at Dropbox to assign a 'crack time' to a user's password each time they sign in or change their password. This crack time represents the estimated time it would take to crack the password for a hypothetical offline attacker with access to our database. You can read more about the methodology here:zxcvbn: realistic password strength estimation
Passwords must be at least 8 characters long and have an estimated offline crack time over 6,000 seconds. We do not enforce arbitrary restrictions on numbers, special characters, or maximum password length. However, any passwords longer than 72 characters will be truncated.
Coinbase strongly recommends the use of password manager software such as 1Password or LastPass. A password manager can generate random, unique passwords for each website you visit. It can also automatically fill in passwords for you and can protect you against phishing attacks.
If you don't want to use a password manager, be sure to use a long, random password that is unique to your Coinbase account. Do not reuse passwords from other websites, especially your email account. Do use a passphrase (a sentence or group of words), but do not choose a phrase from a book or a movie as hackers have access to sophisticated databases of such quotes.
We check all passwords against password dumps and leaks across the internet. It's possible that your password was found in one of these dumps. We recommend you change your password immediately.
Coinbase salts and hashes all passwords using the bcrypt algorithm with a work factor of 12. We never store your password in plain text.
Sign in and come back to this page to find out!