Hackers know your password. I'm like 99% sure they do. Just go to ';--have i been pwned? and enter your email(s). See? Your password is as good as public.
We all hate passwords, don't we? Trying to keep them easy to remember, but also hard to break, while also complying with stupid arbitrary rules, while having corporate forcing you to change it regularly... They're a pain in the ass.
They aren't even that safe. How can you be sure that the administrator of a website that you trusted with your password even hashes it? How do you know they salt it? How do you know they don't use an outdated hashing algorithm? How can you be sure they won't have a data breach, their database leaked, and your password recovered with supercomputers?
Damn, I'm an administrator myself, and I still can't be sure I do everything right. I got a panic attack last week when a user reported that his password was stolen and used for blackmail ( Recognising red flags in blackmail emails) – in this case it was a reused password that leaked somewhere else, but still... Even though I'm storing people's passwords in the best way I can, I would feel so much better, if I just didn't have to store them.
How about we just stop using passwords?
1. Social login
If you log in with Facebook, Twitter, Google, Apple or whatever, you make me a happier developer. Yes, your social media account is still protected by a password, but at least I don't know it. If anything happens to your social media account, it's gonna be a problem of a huge corporation with well-funded infosec department – not a random developer who makes websites for fun and does their best keeping them safe.
2. Magic links
In my first job I saw in the logs that many users use the “remind password” feature not as a recovery option, but as their main login method. Today, their quirk is becoming an increasingly popular security trend, actually. If you go, for example, to Whereby, they'll only ask you for your email, not a password. Every time you try to log in, they'll just send you and email with a one-time code.
I implemented a similar approach in my new project, Avris Booster: Quick start of new projects (under active development). Now I don't need a separate “register”, “log in” and “remind password” forms – I just have one. Now I don't keep any passwords – just some temporary codes that can't be reused on other websites.
And users don't have to worry about remembering, storing or losing their passwords.
3. Multi-factor authentication
Whatever authentication method you use (or are forced to use), it's always better to have a second one. If a website offers MFA, it's smart set it up (I can strongly recommend the Authy app for it).
This way, even if your password gets stolen, the hackers will still need more (your phone) to access your account.
4. Other options
There's also such a thing as Hardware Security Modules. Some websites offer login with PGP keys. And there's probably a lot more options, but no time to dive into them right now.
5. Password managers
Let's face it, passwords are still inevitable. Until webmasters stop being so password-centric, we have to keep using passwords, if we want to keep using their products.
The best we can do in this situation, is to make sure that all of our passwords are strong and unique (so that a hacker who found out our Spotify password can't use it to log in to our bank or email). Of course, nobody can remember tens or hundreds of strong, unique password. That's why we have password managers. I can strongly recommend KeePass. Or even saving the passwords in the browser.
Seriously, anything is better than using the same password for some shady forum as you use for your online banking.