Passwords still drive 81% of all data breaches in 2026. Yet most users keep reusing weak credentials, making credential stuffing attacks trivially easy. Getting password security right matters more than ever - for developers building systems and users protecting themselves.
How Strong is Your Password, Really?
Password strength is measured by entropy - calculated as E = log2(R^L), where R is the character set size and L is the length. An 8-character lowercase-only password is trivially brute-forced, 12 characters with mixed charset resists raw attacks but falls to dictionary cracking, and 16+ characters with full charset is cryptographically solid. Length wins over complexity every time.
How to Generate Better Passwords
For stored credentials and API keys, use a Cryptographically Secure Pseudorandom Number Generator (CSPRNG). For passwords you need to remember, go with passphrases: 4 random dictionary words like battery-horse-staple-correct are both high-entropy and memorable. Skip the leet-speak tricks like replacing 'e' with '3' - modern crackers account for all those substitutions.
Use a Password Manager
A password manager like Bitwarden or 1Password solves the reuse problem completely. It generates and stores unique high-entropy passwords for every account. Never share credentials over chat or email - use client-side encrypted tools instead. The convenience trade-off is worth it.
How Developers Should Store Passwords
Never hash passwords with MD5 or SHA-256 - those are fast hashes perfect for attackers. Use Argon2id as your first choice, or bcrypt with a cost factor of at least 12-14. These slow, memory-hard functions are built specifically for password storage. Add rate limiting on login and reset endpoints, and integrate the HaveIBeenPwned API to reject passwords leaked in known breaches.
What NIST Actually Says
NIST SP 800-63B debunks a lot of common practices. Stop forcing 90-day password rotations - they lead to weaker incremental passwords. Stop requiring complex character compositions. Instead, focus on length (8-16 chars minimum), allow users to paste into password fields, and check new passwords against breach databases.
The Future is Passwordless
Passkeys (WebAuthn/FIDO2) are the real long-term fix - phishing-resistant, device-bound authentication that eliminates shared secrets. Magic links and SSO via OAuth 2.0/OIDC are solid stepping stones. The password era is winding down, but until your systems fully migrate, these practices keep you secure.
Quick Checklist
Personal: 16+ character unique passwords per account, use a password manager, enable TOTP or hardware MFA.
Developer: Hash with Argon2id or bcrypt (cost 12+), rate-limit auth endpoints, reject known-breached passwords via HaveIBeenPwned API.
References
Original article: https://devtoollab.com/blog/password-security-best-practices
Top comments (0)