Tolk.ai uses the zxcvbn library, an algorithm developed by Dropbox that evaluates password strength based on predictability rather than arbitrary complexity criteria.
ZXCVBN measures password security by its "entropy," a better indicator of the time required to guess it by brute force. The algorithm analyzes common patterns (such as "AZERTY"), calculates the entropy of each pattern, and compares the password to dictionaries of common words and patterns.
Why this approach? Simple substitutions such as "M0td3P@$sE" are almost as easy to guess as "password" for modern hacking software. A long, unpredictable password is more secure than a short password with special characters.
Users and administrators can only change their password via the "lost password" feature. An email containing a unique link with a limited lifespan is sent. This process ensures that only the user can change their password.
Passwords are encrypted before being stored in the database. During authentication, the password entered is also encrypted, and the comparison is made between the two encrypted versions. Tolk.ai never stores passwords in plain text and never requests them by email or phone.