Password Security: Best Practices for Creating and Storing Passwords

Password Security: Best Practices for Creating and Storing Passwords

Password security encompasses the practices, tools, and policies for creating, storing, and managing passwords to protect accounts from unauthorized access. Despite the rise of biometrics and passkeys, passwords remain the most common authentication method. Weak passwords are responsible for over 80 percent of data breaches. Password security includes two aspects: user-side (creating strong, unique passwords) and server-side (storing passwords securely using salted hashing). Understanding both is essential for building secure systems.

To understand password security properly, it helps to be familiar with authentication fundamentals, hashing, and multi-factor authentication.

┌─────────────────────────────────────────────────────────────────────────┐
│                         Password Security                                │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                          │
│   User-Side                             Server-Side                     │
│   (Creating passwords)                   (Storing passwords)             │
│   ┌─────────────────────────┐           ┌─────────────────────────────┐ │
│   │ • Use password manager  │           │ • Never store plain text    │ │
│   │ • Long, random passwords│           │ • Use salted hashing        │ │
│   │ • Unique per site       │           │ • Use slow hash function    │ │
│   │ • Enable MFA            │           │   (bcrypt, Argon2id)        │ │
│   └─────────────────────────┘           └─────────────────────────────┘ │
│                                                                          │
│   Common Attacks:                                                        │
│   ┌─────────────────────────────────────────────────────────────────┐   │
│   │ • Phishing       - Trick user into revealing password           │   │
│   │ • Credential     - Use stolen passwords from other breaches     │   │
│   │   Stuffing                                                       │   │
│   │ • Brute Force    - Try many password combinations               │   │
│   │ • Dictionary     - Try common passwords (123456, password)      │   │
│   │ • Keylogging     - Capture keystrokes to steal password         │   │
│   │ • Database       - Steal password hashes from server            │   │
│   │   Breach                                                         │   │
│   └─────────────────────────────────────────────────────────────────┘   │
│                                                                          │
└─────────────────────────────────────────────────────────────────────────┘

What Is Password Security?

Password security refers to the practices, technologies, and policies that protect passwords from being stolen, guessed, or misused. It has two main components: user-side practices (creating strong, unique passwords; using password managers; enabling multi-factor authentication) and server-side practices (storing passwords securely using salted hashing; enforcing password policies; detecting breaches). Weak password security is the leading cause of account compromises.

• Password Complexity: Length (minimum 12-16 characters, longer is better). Character types (uppercase, lowercase, numbers, symbols). Avoiding common patterns (password, 123456, qwerty).
• Password Uniqueness: Never reuse passwords across different sites (prevents credential stuffing). Password managers enable unique passwords per site.
• Password Storage: Never store in plain text, always use salted hashing, use slow, memory-hard algorithms (Argon2id, bcrypt).
• Multi-Factor Authentication (MFA): Adds second layer of security beyond password (TOTP, hardware key, biometric). Essential for all accounts.

Why Password Security Matters

Passwords are the primary authentication method, and weak passwords are a leading cause of data breaches. Poor password security affects individuals and organizations.

• Widespread Password Reuse: 65 percent of people reuse passwords across sites. One breached password compromises multiple accounts. Credential stuffing attacks exploit reuse.
• Common Weak Passwords: "123456", "password", "qwerty" are still top passwords. Hackers can guess these instantly (dictionary attacks).
• Data Breach Impact: Stolen password databases can be cracked offline. Fast hash functions (MD5, SHA-1) are cracked in seconds. Organizations face fines, reputation damage, customer loss.
• Brute Force Attacks: Attackers try millions of password combinations per second. Short passwords (<8 characters) are cracked quickly. Rate limiting and lockouts help but don't prevent offline cracking.

Password Length   Complexity              Cracking Time (8 GPUs)
─────────────────────────────────────────────────────────────────────────────
6 characters      Lowercase only           Instant
6 characters      Full ASCII              Seconds
8 characters      Lowercase only           Minutes
8 characters      Full ASCII              Days
10 characters     Lowercase only           Months
10 characters     Full ASCII              Centuries
12 characters     Lowercase only           Centuries
12 characters     Full ASCII              Millions of years

Note: These assume bcrypt (cost=10). Without bcrypt (MD5), times are microseconds.
Always use slow, memory-hard hash functions (Argon2id, bcrypt).

Common Password Attacks

Creating Strong Passwords

Method 1: Random String (Password Manager)
  • 16-20 random characters
  • Mixed case + numbers + symbols
  • Example: "k9#mP2$qL8&vR4@xW7"

Method 2: Passphrase (Memorable, longer)
  • 4-6 random words
  • Length > 20 characters
  • Example: "correct-horse-battery-staple" (XKCD)
  • Add random numbers/symbols: "correct-horse-42-battery!"

Method 3: Acronym from sentence
  • Sentence: "My first car was a red Toyota Camry from 2010"
  • Password: "Mfcwa rTCf2010" (12+ characters)

Avoid:
  • Dictionary words ("password", "admin")
  • Personal info (name, birthdate, pet)
  • Keyboard patterns ("qwerty", "123456")
  • Sequences ("abc123", "passw0rd")

Password Managers

Password managers generate and store strong, unique passwords for every site. The user only needs to remember one master password. They help prevent credential stuffing and eliminate password reuse. Many include breach monitoring (alert if credentials exposed).

Essential Features:
  • Secure encryption (AES-256)
  • Zero-knowledge architecture
  • Cross-platform sync (phone, laptop)
  • Password generator (random, configurable)
  • Auto-fill (prevents phishing)
  • Breach monitoring

Recommended Password Managers:
  • Bitwarden (open source, free tier)
  • 1Password (polished, family plans)
  • Apple Keychain (iOS/macOS users)
  • Google Password Manager (Chrome/Android)
  • Keepass (offline, power users)

Secure Password Storage (Server-Side)

Never store passwords in plain text. Always use salted hashing with slow, memory-hard algorithms.

Algorithm Recommendation:
  • Argon2id (best, winner of Password Hashing Competition)
  • bcrypt (good, widely supported, cost ≥ 12)
  • PBKDF2 (acceptable, NIST standard, iterations ≥ 310,000)
  • scrypt (good, memory-hard)

NEVER use:
  • MD5 (broken, fast)
  • SHA-1 (broken, fast)
  • SHA-256 (too fast for passwords, use with salt + iterations)
  • Plain text (obviously)

Salting:
  • 16+ byte random salt per password
  • Unique per password
  • Store with hash (not secret)

Work Factor:
  • Target 0.1-0.5 seconds per hash
  • bcrypt cost: 12 (10 is minimum)
  • Argon2id: memory=64MB, iterations=3, parallelism=4

const bcrypt = require('bcrypt');

// Hashing
const saltRounds = 12;
const plainPassword = 'user_input';
const hash = await bcrypt.hash(plainPassword, saltRounds);
// Store hash in database

// Verification
const isMatch = await bcrypt.compare(plainPassword, storedHash);
if (isMatch) {
    // Password correct
}

from argon2 import PasswordHasher
ph = PasswordHasher(
    time_cost=3,      # iterations
    memory_cost=65536,# 64MB
    parallelism=4     # threads
)

# Hashing
hash = ph.hash("user_password")
# Store hash in database

# Verification
try:
    ph.verify(stored_hash, "user_password")
    if ph.check_needs_rehash(stored_hash):
        # Upgrade hash (re-hash with new params)
        new_hash = ph.hash("user_password")
except:
    # Password incorrect

Password Security Anti-Patterns

• Complexity Rules That Backfire: Requirements like must include uppercase, number, symbol lead to predictable patterns ("Password1!", "P@ssw0rd"). Users write passwords down or reuse them. Better: length minimum (12+ characters) and check against breach databases.
• Regular Password Expiration: Users make minor changes ("Password1" → "Password2") which are easy to guess. Frequent changes lead to weaker passwords. Remove expiration unless there's evidence of compromise. Use breach detection instead.
• Password Hints: Hints often give away password ("favorite pet" → "Fluffy"). Attackers can guess hint answers. Disable password hints (or only allow system-generated hints).
• Storing Passwords in Reversible Format (Encryption): Encrypted passwords can be decrypted (key compromise = all passwords leaked). Use one-way salted hashing (cannot be reversed). Encryption is only acceptable for systems that need original password (rare).
• Not Using Salt: Unsalted hashes allow precomputed rainbow tables, same passwords produce same hash (attackers crack all at once). Always use unique salt per password.
• Using Fast Hash Functions (MD5, SHA): Attackers can try billions of guesses per second. Use slow, memory-hard functions (Argon2id, bcrypt).

User-Facing Policy:
□ Minimum length 12 characters (prefer 16)
□ No complexity requirements (let users choose)
□ Block breached passwords (check HaveIBeenPwned)
□ No regular expiration (unless compromise)
□ Support password managers (long paste allowed)
□ Require MFA for all accounts

Server-Side Storage:
□ Argon2id or bcrypt (cost ≥ 12)
□ Unique 16+ byte salt per password
□ No plain text, no reversible encryption
□ Rate limit login attempts (5-10 tries)
□ Log failed attempts (detect brute force)

Additional Controls:
□ Breach monitoring (alert users)
□ Password strength meter (client-side)
□ Multi-factor authentication enforcement
□ Session management (re-authenticate for sensitive actions)

Password Security Best Practices

• Encourage Password Managers: Users cannot remember 50 unique random passwords. Password managers solve password reuse and weak passwords. Promote password managers (Bitwarden, 1Password, etc.).
• Enforce Strong Passwords Without Annoying Rules: Minimum length 12 characters (no complexity requirements). Block weak passwords (check against breach databases). Provide password strength meter (client-side, real-time).
• Check Against Breached Passwords (HaveIBeenPwned API): Use k-anonymity API (send first 5 characters of hash only). Block passwords that appear in known breaches. User-friendly message: "This password has appeared in a data breach".
• Implement Rate Limiting and Account Lockout: Limit login attempts (5-10 per minute). Progressive delays (increasing wait times). Lockout with CAPTCHA or temporary lock (avoid permanent lockout, DoS risk).
• Use Secure Password Hashing (Argon2id or bcrypt): Argon2id recommended for new systems. bcrypt (cost ≥ 12) acceptable for legacy. PBKDF2 (iterations ≥ 310,000) minimum acceptable.
• Require Multi-Factor Authentication (MFA): MFA mitigates password theft (phishing, keylogging). Prefer WebAuthn (passkeys) or TOTP (authenticator app). SMS is better than nothing but not recommended for high-value accounts.
• Monitor for Breached Credentials: Subscribe to breach notification services (HaveIBeenPwned for Enterprise). Force password reset when user's credentials appear in breach. Send alerts to users.

Requirement                         Recommended Algorithm
─────────────────────────────────────────────────────────────────────────────
New projects (best security)        Argon2id
Existing systems (widely supported)  bcrypt (cost=12)
FIPS compliance (government)         PBKDF2 (310k+ iterations)
Legacy systems (minimum)             bcrypt (cost=10) or PBKDF2
Memory-constrained (embedded)        bcrypt (lower cost)
Highest security (long-term)         Argon2id (memory=128MB, iterations=3)

Frequently Asked Questions

1. How long should a password be?
   12 characters minimum, 16+ recommended for important accounts. Length matters more than complexity. A 20-character random passphrase is excellent. Password managers can generate 20+ random characters.
2. Should I change my password regularly?
   No, unless you suspect compromise (breach, phishing). NIST removes regular expiration from guidelines. Frequent changes lead to weaker passwords. Change only when: notified of breach, potential compromise, or employee leaves.
3. Is a password manager safe?
   Yes, reputable password managers use strong encryption (AES-256) and zero-knowledge architecture. Much safer than password reuse or weak passwords. Use strong master password (long, unique) and enable MFA for password manager.
4. What is the difference between hashing and encryption for passwords?
   Hashing is one-way (cannot be reversed) and suitable for password storage. Encryption is reversible (requires key) and less secure for passwords. If encryption key is stolen, all passwords are decrypted. Always use salted hashing (Argon2id, bcrypt) for passwords.
5. Why do I need salt for password hashing?
   Without salt, same passwords produce same hash. Attackers can precompute rainbow tables, crack all matching passwords at once. Salt (random per password) ensures identical passwords have different hashes. Salt is not secret (store with hash) but prevents precomputation attacks.
6. What should I learn next after password security?
   After mastering password security, explore password hashing algorithms (Argon2id, bcrypt), multi-factor authentication (MFA), WebAuthn and passkeys (passwordless), breach detection and response, and identity management for enterprises.