How do I validate password strength?
Require minimum 8 characters. Encourage passphrases. Reject common passwords (haveibeenpwned API or a wordlist). Do not enforce arbitrary complexity rules (uppercase, special chars) that hurt usability more than they help.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Password Storage Best Practices in Node.js
Always hash (never plain text), use a slow hash (bcrypt or argon2), use a salt (automatic), mark the field with select: false, use a serializer, never log passwords, hash in a pre('save') hook, handle updates, validate strength, rate limit login, use HTTPS, and invalidate sessions on password change.
To exclude it from find queries by default. Without this, User.find() returns passwordHash to the client. Use .select('+passwordHash') only when needed (e.g., for login). Combined with a serializer, this is defense in depth.
To prevent brute-force password attacks. 5 attempts per 15 minutes per IP and per email. After too many failures, lock the account temporarily. Rate limiting is a small addition with big protection.
Still have questions?
Browse all our FAQs or reach out to our support team
