The State of Passwords in 2026
Despite the push toward passkeys and biometrics, passwords remain the primary authentication method for most applications. Here's the current best practice for handling them.
Password Generation Rules
- Minimum 12 characters (16+ recommended)
- Mix of uppercase, lowercase, numbers, and symbols
- Avoid dictionary words and common patterns
- Use a cryptographically secure random generator (not Math.random())
- Never generate passwords server-side and transmit them — generate client-side
Hashing Best Practices
- Use Argon2id — the winner of the Password Hashing Competition, recommended by OWASP
- If not Argon2: bcrypt with cost factor 12+ or scrypt
- Never use: MD5, SHA-1, SHA-256, or any unsalted hash
- Always use a unique salt per password (Argon2 and bcrypt do this automatically)
Common Mistakes
- Limiting password length (let users use 128+ characters)
- Blocking special characters or spaces
- Requiring forced rotation (NIST now recommends against this)
- Storing passwords in plaintext or reversible encryption
- Using the same hash for password and password-reset tokens
Client-Side Password Generators
The safest way to generate a strong password is to do it entirely in your browser. Server-generated passwords expose the plaintext password to network transmission and server logs.
Our Password Generator creates cryptographically random passwords using the Web Crypto API (window.crypto.getRandomValues). The generated password never leaves your browser.
Testing Password Strength
A password's strength depends on its entropy — the number of possible combinations. A 16-character password with mixed case, numbers, and symbols has approximately 100+ bits of entropy, making brute-force attacks computationally infeasible.