Password security is one area where mistakes have serious consequences. Here is what every developer building authentication needs to know.
Never store plain text passwords
Always hash passwords before storing them. If your database is compromised, plain text passwords are immediately useful to attackers.
Use a proper password hashing algorithm
MD5 and SHA-1 are too fast and can be brute-forced with modern hardware. Use bcrypt, scrypt, or Argon2 which are designed to be slow and memory-intensive.
// Using bcrypt in Node.js
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12); // cost factor of 12
const valid = await bcrypt.compare(input, hash);Salting
Always use a unique random salt per password. bcrypt, scrypt, and Argon2 handle salting automatically.
Password requirements
Modern NIST guidelines (SP 800-63B) recommend:
- Minimum 8 characters
- Maximum at least 64 characters
- Check against known breached passwords
- Do not require special characters (they reduce entropy in practice)
- Do not require periodic rotation
Rate limiting
Limit login attempts to prevent brute force attacks. Consider exponential backoff and account lockout after repeated failures.
Multi-factor authentication
Passwords alone are not sufficient for important accounts. Offer TOTP (Time-based One-Time Passwords) or passkeys as a second factor.
Client-side: generating strong passwords
Use our Password Generator to create cryptographically strong passwords that meet modern requirements.