Passwords (still) represent a significant aspect of online security, and one which all too often turns out to be a weak link in the chain. This session covers how passwords are handled in Drupal (and how this has changed over the years). We’ll look at the latest guidelines and best practices for passwords and how modern Drupal sites can implement these. We’ll also consider how bad actors leverage and abuse passwords, and how Drupal can protect against these attacks. Finally we’ll take a look towards a utopian world beyond passwords.