It’s 2016, your site/app should not require a password. Use a third party to authenticate your users and make the web a simpler, safer, better place. — It’s 2016; your app should most likely not require a username nor a password. You really should use a third party (email, phone, social) to authenticate your user, and skip the antiquated habit of forcing/allowing users to choose a username & password.