100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Password Security Best Practices Cheat Sheet

Password Security Best Practices Cheat Sheet

Summarizes modern password hygiene, hashing standards, and multi-factor authentication practices for individuals and engineering teams.

1 PageBeginnerJan 28, 2026

Best Practices for Users

Habits that meaningfully reduce account compromise risk.

  • Use a password manager- Generate and store unique, random passwords per site (e.g. Bitwarden, 1Password)
  • Length over complexity- Prefer long passphrases (14+ characters) over short complex strings that are hard to remember
  • Unique per site- Never reuse a password across multiple accounts to limit credential-stuffing blast radius
  • Enable MFA everywhere- Add a second factor (authenticator app, hardware key) on top of the password
  • Avoid personal info- Don't use names, birthdays, or dictionary words that appear in guessing wordlists
  • Rotate only on compromise- NIST no longer recommends periodic forced rotation; rotate when a breach is suspected

Password Hashing (Node.js)

Correctly hash and verify passwords server-side using bcrypt.

javascript
const bcrypt = require('bcrypt');// Hashing: cost factor (salt rounds) controls work factor, 12 is a common defaultasync function hashPassword(plain) {  const saltRounds = 12;  return await bcrypt.hash(plain, saltRounds); // salt is generated and embedded automatically}// Verifyingasync function verifyPassword(plain, hash) {  return await bcrypt.compare(plain, hash); // true/false, timing-safe comparison}// Never store plaintext or use fast hashes like MD5/SHA1 for passwords

NIST-Aligned Password Policy

Configuration reference implementing NIST SP 800-63B guidance.

yaml
password_policy:  min_length: 12          # NIST recommends 8 minimum, 12+ for stronger accounts  max_length: 64          # allow long passphrases, don't artificially cap  require_uppercase: false   # composition rules add little value per NIST  require_special_char: false  check_against_breach_list: true   # reject passwords found in known breach corpora (e.g. HaveIBeenPwned)  block_common_passwords: true      # reject top-10k common password list  allow_paste: true        # supports password managers  lockout_threshold: 10    # account lockout after N failed attempts  mfa_required: true

Checking Breach Exposure (k-Anonymity API)

Use the Have I Been Pwned Pwned Passwords API without exposing the full password.

bash
# SHA-1 hash the password, send only the first 5 hex chars of the hashpassword="CorrectHorseBatteryStaple"hash=$(echo -n "$password" | sha1sum | tr 'a-z' 'A-Z' | cut -c1-40)prefix=${hash:0:5}suffix=${hash:5}curl -s "https://api.pwnedpasswords.com/range/$prefix" | grep -i "$suffix"# If a match with a count > 0 is returned, the password has appeared in a known breach

MFA Methods Ranked by Strength

Relative phishing resistance of common second-factor options.

  • Hardware security key (FIDO2/WebAuthn)- Strongest; cryptographically bound to the origin, resists phishing
  • Authenticator app (TOTP)- Good; time-based codes, but can be phished via real-time relay attacks
  • Push notification- Convenient but vulnerable to MFA fatigue/prompt-bombing attacks
  • SMS/voice OTP- Weakest; vulnerable to SIM-swapping and SS7 interception, avoid for sensitive accounts
Pro Tip

When migrating from an older hash format (MD5/SHA1), rehash transparently on the user's next successful login rather than forcing a mass password reset — verify against the old hash, then immediately store a new bcrypt/argon2 hash.

Was this cheat sheet helpful?

Explore Topics

#PasswordSecurityBestPractices#PasswordSecurityBestPracticesCheatSheet#Cybersecurity#Beginner#BestPracticesForUsers#PasswordHashingNodeJs#NIST#Aligned#Security#CheatSheet#SkillVeris