Password Security Done Right
Contents
Password security seems simple but is often done wrong. Here’s how to handle passwords correctly.
Never Store Plain Text
This should be obvious, but breaches still reveal plain text passwords. Always hash.
Use the Right Algorithm
Good choices:
- bcrypt
- Argon2 (preferred for new projects)
- scrypt
Never use:
- MD5
- SHA-1
- SHA-256 alone (too fast)
bcrypt Example
|
|
|
|
Work Factor Matters
The “rounds” or “cost” parameter controls how slow hashing is:
|
|
Password Requirements
Good policy:
- Minimum 12 characters
- Check against breached password lists
- No complexity rules (they don’t help)
Bad policy:
- Must have uppercase, lowercase, number, symbol
- Maximum length (never limit this)
- Forced rotation
Rate Limiting
Prevent brute force:
|
|
Additional Protections
Multi-Factor Authentication
Always offer MFA. TOTP is a good baseline:
|
|
Secure Password Reset
- Time-limited tokens (1 hour max)
- Single use
- Invalidate on password change
- Don’t reveal if email exists
Storage Checklist
- Passwords hashed with bcrypt/Argon2
- Sufficient work factor (>= 12 rounds)
- Rate limiting on login
- Account lockout after failures
- MFA available
- Secure password reset flow
- No password in logs
Password security is foundational. Get it right from the start.
Comments