Password Security: What Developers and Users Need to Know

Password security affects both sides of the stack — the passwords users create and the way developers store them. This guide covers what makes a password strong, how modern attacks work, and the hashing and storage practices every developer should follow.

What Makes a Password Strong

Password strength comes down to one thing: entropy — how many possible combinations an attacker has to try. Length matters far more than complexity:

A 16-character random password has more entropy than a short “complex” password with special characters. Passphrases (random words strung together) are both strong and memorable.

How Passwords Get Cracked

Understanding attack methods helps you understand why certain practices exist:

• Brute force — try every possible combination. GPUs can test billions of simple hashes per second.
• Dictionary attack — try common passwords and word lists. “password123” falls in milliseconds.
• Credential stuffing — use leaked credentials from one breach to access other services. Works because people reuse passwords.
• Rainbow tables — precomputed hash-to-password mappings. Defeated by salting (adding random data before hashing).

For Users: Password Best Practices

1. 1Use a password manager. Generate unique, random passwords for every account. You only need to remember one master password.
2. 2Make passwords long. 16+ characters. Prefer random characters or 4+ word passphrases.
3. 3Never reuse passwords. One breach exposes every account that shares the same password.
4. 4Enable two-factor authentication (2FA). Even if your password is compromised, 2FA blocks the attacker. Use an authenticator app (TOTP) over SMS when possible.
5. 5Check for breaches. Services like Have I Been Pwned let you check if your email or passwords have appeared in known data breaches.

For Developers: Hashing and Storage

The golden rule: never store passwords in plaintext. Always hash them with a purpose-built password hashing function.

Hashing vs Encryption

• Hashing is one-way. You can verify a password matches the hash, but you can't recover the original. This is what you want for passwords.
• Encryption is two-way. If someone gets the key, they can decrypt everything. Not suitable for password storage.

Use the Right Algorithm

General-purpose hash functions like SHA-256 are too fast — an attacker can test billions of guesses per second. Use algorithms designed to be slow:

Code Examples

import bcrypt from "bcrypt";

// Hash a password (cost factor 12)
const hash = await bcrypt.hash(password, 12);
// Store 'hash' in your database

// Verify a password
const isValid = await bcrypt.compare(password, hash);

from argon2 import PasswordHasher

ph = PasswordHasher()

# Hash a password
hash = ph.hash(password)
# Store 'hash' in your database

# Verify a password
try:
    ph.verify(hash, password)
except VerifyMismatchError:
    # Invalid password
    pass

import "golang.org/x/crypto/bcrypt"

// Hash a password
hash, err := bcrypt.GenerateFromPassword(
    []byte(password), 12,
)

// Verify a password
err := bcrypt.CompareHashAndPassword(hash, []byte(password))
// err == nil means valid

Implementation Checklist

• Hash passwords with Argon2id or bcrypt (never MD5/SHA)
• Enforce a minimum length (12+ characters), not complexity rules
• Check passwords against known breached lists (HIBP API)
• Offer and encourage 2FA (TOTP authenticator apps)
• Rate-limit login attempts (5 per minute per IP/account)
• Never log, email, or display passwords
• Use HTTPS everywhere — passwords in plaintext over HTTP are trivially intercepted
• Store secrets (API keys, database passwords) in environment variables, not code

Generate Strong Passwords

Use our Password Generator to create cryptographically secure passwords with configurable length, character sets, and entropy estimation. To verify hash outputs, try the Hash Generator. Both tools run entirely in your browser — your passwords never leave your device.