Password Security Best Practices Cheat Sheet
Summarizes modern password hygiene, hashing standards, and multi-factor authentication practices for individuals and engineering teams.
1 PageBeginnerJan 28, 2026
Best Practices for Users
Habits that meaningfully reduce account compromise risk.
- Use a password manager- Generate and store unique, random passwords per site (e.g. Bitwarden, 1Password)
- Length over complexity- Prefer long passphrases (14+ characters) over short complex strings that are hard to remember
- Unique per site- Never reuse a password across multiple accounts to limit credential-stuffing blast radius
- Enable MFA everywhere- Add a second factor (authenticator app, hardware key) on top of the password
- Avoid personal info- Don't use names, birthdays, or dictionary words that appear in guessing wordlists
- Rotate only on compromise- NIST no longer recommends periodic forced rotation; rotate when a breach is suspected
Password Hashing (Node.js)
Correctly hash and verify passwords server-side using bcrypt.
javascript
const bcrypt = require('bcrypt');// Hashing: cost factor (salt rounds) controls work factor, 12 is a common defaultasync function hashPassword(plain) { const saltRounds = 12; return await bcrypt.hash(plain, saltRounds); // salt is generated and embedded automatically}// Verifyingasync function verifyPassword(plain, hash) { return await bcrypt.compare(plain, hash); // true/false, timing-safe comparison}// Never store plaintext or use fast hashes like MD5/SHA1 for passwords
NIST-Aligned Password Policy
Configuration reference implementing NIST SP 800-63B guidance.
yaml
password_policy: min_length: 12 # NIST recommends 8 minimum, 12+ for stronger accounts max_length: 64 # allow long passphrases, don't artificially cap require_uppercase: false # composition rules add little value per NIST require_special_char: false check_against_breach_list: true # reject passwords found in known breach corpora (e.g. HaveIBeenPwned) block_common_passwords: true # reject top-10k common password list allow_paste: true # supports password managers lockout_threshold: 10 # account lockout after N failed attempts mfa_required: true
Checking Breach Exposure (k-Anonymity API)
Use the Have I Been Pwned Pwned Passwords API without exposing the full password.
bash
# SHA-1 hash the password, send only the first 5 hex chars of the hashpassword="CorrectHorseBatteryStaple"hash=$(echo -n "$password" | sha1sum | tr 'a-z' 'A-Z' | cut -c1-40)prefix=${hash:0:5}suffix=${hash:5}curl -s "https://api.pwnedpasswords.com/range/$prefix" | grep -i "$suffix"# If a match with a count > 0 is returned, the password has appeared in a known breach
MFA Methods Ranked by Strength
Relative phishing resistance of common second-factor options.
- Hardware security key (FIDO2/WebAuthn)- Strongest; cryptographically bound to the origin, resists phishing
- Authenticator app (TOTP)- Good; time-based codes, but can be phished via real-time relay attacks
- Push notification- Convenient but vulnerable to MFA fatigue/prompt-bombing attacks
- SMS/voice OTP- Weakest; vulnerable to SIM-swapping and SS7 interception, avoid for sensitive accounts
Pro Tip
When migrating from an older hash format (MD5/SHA1), rehash transparently on the user's next successful login rather than forcing a mass password reset — verify against the old hash, then immediately store a new bcrypt/argon2 hash.
Was this cheat sheet helpful?
Explore Topics
#PasswordSecurityBestPractices#PasswordSecurityBestPracticesCheatSheet#Cybersecurity#Beginner#BestPracticesForUsers#PasswordHashingNodeJs#NIST#Aligned#Security#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance