Key Takeaways
- Use unique, strong passwords for every account.
- Password managers make strong passwords practical.
- Length matters more than complexity for security.
- Enable two-factor authentication wherever possible.
- Developers should use bcrypt, Argon2, or scrypt for hashing.
- Never store passwords in plain text or reversible encryption.
Table of Contents
1. Introduction to Password Security
Passwords remain the primary method of authentication for most digital services. Despite advances in biometrics and other authentication methods, the humble password continues to guard everything from your email to your bank accounts. Understanding password security is essential for protecting your digital life.
Unfortunately, password practices among users remain poor. Studies consistently show that the most common passwords include "123456," "password," and "qwerty." These weak passwords, combined with password reuse across multiple sites, create significant security vulnerabilities.
This guide covers password security from both the user perspective (creating and managing strong passwords) and the developer perspective (properly storing and handling passwords in applications).
Password Breach Statistics
Over 24 billion username/password combinations are available on the dark web. The average internet user has 100+ accounts, but many use the same password for multiple sites. When one service is breached, attackers test those credentials everywhere.
2. Creating Strong Passwords
2.1 What Makes a Password Strong?
Password strength comes from entropy—the measure of randomness or unpredictability. Key factors include:
- Length: The most important factor. Each additional character exponentially increases the time needed to crack
- Character Variety: Using lowercase, uppercase, numbers, and symbols expands the possible combinations
- Randomness: Avoiding patterns, dictionary words, and personal information
- Uniqueness: Using a different password for each account
2.2 Password Methods
Random Character Passwords
Example: K#9$mPx2@vLqZ
Highly secure but difficult to remember. Best used with a password manager.
Passphrase Method
Example: correct-horse-battery-staple
Multiple random words combined. Easier to remember while still secure. A 4-word passphrase from a 7,000-word list provides about 50 bits of entropy.
Sentence Method
Example: IL0veP1zz4FromChicago!
Based on a memorable sentence with substitutions. Easier to remember but potentially weaker if patterns are predictable.
Recommended Password Strength
Minimum: 12 characters for general accounts
Better: 16+ characters for sensitive accounts
Critical: 20+ characters for high-value accounts (email, banking, password manager master password)
2.3 What to Avoid
- Dictionary words (even with simple substitutions like @ for a)
- Personal information (names, birthdays, pet names)
- Keyboard patterns (qwerty, 12345, asdfgh)
- Previously breached passwords (check haveibeenpwned.com)
- Reusing passwords across sites
3. Password Managers
3.1 Why Use a Password Manager?
Password managers solve the fundamental problem of password security: humans can't remember dozens of strong, unique passwords. A password manager stores all your passwords encrypted, requiring you to remember only one master password.
- Generate Strong Passwords: Create random, high-entropy passwords instantly
- Store Securely: Encrypted vault protects all credentials
- Autofill: Fills login forms automatically, reducing phishing risk
- Sync: Access passwords across all your devices
- Additional Data: Store secure notes, 2FA codes, and other sensitive information
3.2 Recommended Password Managers
| Manager | Type | Features | Price |
|---|---|---|---|
| Bitwarden | Cloud/Self-hosted | Open-source, cross-platform | Free / $10/year |
| 1Password | Cloud | Travel mode, family sharing | $36/year |
| Dashlane | Cloud | VPN included, dark web monitoring | $60/year |
| KeePassXC | Local | Offline, maximum control | Free |
3.3 Master Password Best Practices
Your master password is the key to all your passwords—it must be exceptionally strong and memorable:
- Use a long passphrase (5+ words) that you can remember
- Add some complexity (numbers, symbols, unusual capitalization)
- Never use it anywhere else
- Consider enabling 2FA for your password manager
- Store recovery codes securely offline
4. Password Hashing (For Developers)
4.1 Never Store Plain Text Passwords
If your database is breached, attackers should not be able to read user passwords. Always store passwords as cryptographic hashes.
What Not To Do
Never store passwords as: plain text, base64 encoded, encrypted (reversible), MD5/SHA1/SHA256 hashed without salt. These methods are all insecure and have led to major breaches.
4.2 Recommended Algorithms
| Algorithm | Recommendation | Work Factor |
|---|---|---|
| Argon2id | Best choice (2024) | Memory-hard, resistant to GPU attacks |
| bcrypt | Excellent, widely supported | Cost factor 10-12 |
| scrypt | Good, memory-hard | Configurable memory |
| PBKDF2 | Acceptable if nothing else | 100,000+ iterations |
4.3 Implementation Examples
# Python with bcrypt
import bcrypt
# Hash password
password = b"user_password"
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(password, salt)
# Verify password
if bcrypt.checkpw(password, hashed):
print("Password matches")
# PHP with password_hash
$password = 'user_password';
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
// Verify
if (password_verify($password, $hash)) {
echo "Password matches";
}
// Node.js with bcrypt
const bcrypt = require('bcrypt');
const saltRounds = 12;
// Hash
const hash = await bcrypt.hash(password, saltRounds);
// Verify
const match = await bcrypt.compare(password, hash);5. Two-Factor Authentication
5.1 Types of 2FA
- TOTP Apps: Google Authenticator, Authy, Microsoft Authenticator—generate time-based codes
- Hardware Keys: YubiKey, Titan—physical devices, most secure option
- SMS Codes: Text message codes—better than nothing but vulnerable to SIM swapping
- Push Notifications: Approve login from app—convenient but can be fatigued
- Passkeys: WebAuthn/FIDO2—password-less, very secure
5.2 2FA Best Practices
- Enable 2FA on all accounts that support it, especially email
- Prefer hardware keys or TOTP apps over SMS
- Store backup codes securely offline
- Use a separate device for TOTP if possible
6. Common Password Attacks
| Attack | Description | Defense |
|---|---|---|
| Brute Force | Try all possible combinations | Long passwords, rate limiting |
| Dictionary | Try common passwords and words | Random passwords, avoid dictionary words |
| Credential Stuffing | Use breached passwords from other sites | Unique passwords, 2FA |
| Phishing | Trick users into revealing passwords | Password managers detect fake sites |
| Rainbow Tables | Pre-computed hash databases | Salted hashing algorithms |
7. Account Recovery
7.1 Recovery Options
- Recovery Codes: Store securely, separate from password manager
- Backup Email: Keep this email secure
- Phone Number: Enable but be aware of SIM swap risks
- Security Questions: Use random answers stored in password manager
8. Frequently Asked Questions
Conclusion
Password security is foundational to your digital safety. Use a password manager to create and store unique, strong passwords for every account. Enable two-factor authentication wherever possible. If you're a developer, use proper password hashing algorithms and never store credentials in plain text.
Continue Learning:
2FA Guide
Password Managers