Login Security Demystified

Last update March 17, 2025 (What's new?)

1 Introduction
2 Password strength
3 Password guidelines for users
4 Supplements and alternatives to passwords
5 How passwords are attacked
6 Guidelines for developers
- 6.1 Accepting passwords
- 6.2 Protecting passwords
Frequently Asked Questions (FAQ)

1 Introduction

Pop quiz: Which password is more secure?

A) Mbxsa38!
B) gacrpooofent

The answer is B. Surprised? People think A is more secure because it follows the typical rules for a “strong” password: at least one uppercase and lowercase letter, number, and special character. But the most crucial aspect by far of password security is length. A secure password is hard to guess. Password B is longer than password A, so it takes more tries to guess it, just like it takes more tries to guess a number between one and one hundred than a number between one and ten.

Even though password B is only four characters longer, it isn’t just a hundred times harder to guess, or even a million times harder to guess — it’s 78 million times harder! A cybercriminal using an password cracking system could crack password A in about an hour, but it would take the same system over a thousand years to crack password B.

We all have to use passwords. Over two thirds of the world uses the Internet. The average person has more than one hundred accounts. Unfortunately, the security risk from passwords is getting worse all the time. Around half of the vulnerabilities in cloud services are from weak or missing credentials. Compromised passwords have (perhaps) led to billions of dollars of personal and corporate loss. Reports and numbers vary, but several billion passwords have been stolen and are available on the dark web. If your password is one of those, and you reused it at more than one site (which more than half of us do), your other accounts are at risk.

Most compromised passwords are extracted from data breaches, since too many companies do a bad job of protecting your data and because we humans don’t make strong passwords. But even the strongest password can be pilfered by malware or phishing, which account for billions of stolen passwords.

What to do? Passwords won’t go away any time soon. They’re being slowly surpassed by passkeys, but passkeys aren’t widely supported yet, and many existing passkey implementations are vexingly hard to use. In the meantime, the best way to protect yourself is to use strong passwords and take advantage of additional security measures such as multi-factor authentication.

Even when passkeys become predominant, passwords won’t disappear. They’re simple and universal. When newfangled login methods such as biometrics fail, or hardware security keys are lost, passwords are often still used as a fallback, so strong password security is as important as ever.

2 Password strength

Unfortunately, many people, even supposed experts, don’t understand what makes a password strong or weak. Most of the “how to make a strong password” guides are full of myths and misunderstandings. This section explains the true fundamentals of password strength. Section 3 provides simple guidelines on how to make strong passwords.

Why do we care about strong passwords? To keep the bad guys out. (Section 5 explains how the bad guys get in.) A secure password is one that can’t be cracked by a bad guy.

A strong password is:

Long – 12 characters or more.
Unpredictable – random and hard to guess.
Unique – not reused for your other accounts.
Uncompromised – not on a list of stolen passwords.

A weak password is:

Short.
Predictable – uses typical patterns or words.
Common – the same as other people’s password.
Reused – by you in multiple places.
Previously compromised.

The one rule to rule them all is length. A longer password is a stronger password because it’s harder to crack.

Two combination locks with 2 counters (50 guesses) and 11 counters (50 billion guesses). Attribution: vecteezy.com/members/emiltimplaru

The math works like this: A single digit gives you ten possible values. If you add a second digit, you exponentially increase the possible values: 00, 01, 02, … 10, 11, 12, … 97, 98, 99 for a total of one hundred, which is ten times ten (or 102). If you add a third digit, you get one thousand (103) possible values. The same applies to password made of letters, numbers, and symbols, where a single character has 95 possible values, two characters have 9,025 (952) combinations, three characters have 857,375 (953), and so on. An eight-character password has more than 6 quadrillion variations (6,634,204,312,890,625 or 958), and a twelve-character password has more than 540 sextillion (9512).

Entropy

The length of a password determines its entropy, which is a fancy word for measuring the uncertainty or variability of information given its nature (length, possible variations, and so on; see complexity below). When you use more characters, there are more possible variations, and thus more entropy. For example, you can make ten thousand passwords using four digits (0 through 9), but you can make one hundred million passwords by using eight digits.

The number of different characters allowed in a password also affects entropy. The entropy for a PIN that can only contain digits is much lower than the entropy for a password that can use any of the 95 standard characters: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789 <space>!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~. Making a PIN one digit longer makes it 10 times harder to guess, whereas making a password one character longer makes it 95 times harder to guess.

When guessing a random value, on average it will be found after guessing half the choices, so we can estimate that a password of length L will take 95L÷2 guesses. (See the guessing game tables below.) However, attackers are smart and start by trying commonly used passwords, frequently used words, and prevalent patterns to speed up the guessing game. Studies often show that knowing common patterns makes it possible to crack thousands or even millions of passwords in a few hours. (See section 5 for more on how passwords are attacked.)

Tables of guessing games vs. computer, with times varying from instantly to 77 million years.

Clearly, length is the key to a strong password. So why do so many services have rules that force you to create “complex” passwords, and why do so many password guides tell you that a “complex” password is a strong password?

Because a) they are sheep (“everyone else does it”), b) they don’t understand security, and c) they succumb to the prescient attacker fallacy, which is the faulty reasoning that an attacker knows how long your password is and what characters you used. Most discussions of password strength say things like “if your password is five numbers it will only take around 50,000 guesses, but if your five-character password contains mixed case, a number, and a special character, it will take over 3 billion guesses.” This completely misses the fact that the attacker doesn’t know what characters you put in your password, so it will always take them over 3 billion tries (if they guess randomly, which they don’t).

This is why “complex” passwords are not meaningfully more secure, and why services that force you to make your password more complex actually make things less secure. When the attacker knows there are restrictions, they can skip billions of guesses. For example, if the attacker knows that you must use at least one number, they won’t try guessing passwords that contain only letters. The typical rule that requires at least one lowercase letter, uppercase letter, digit, and special character in an eight-character password eliminates over three quadrillion passwords, or 54 percent! (See Password Constraints and Their Unintended Security Consequences.)

Venn diagram showing all possible passwords, with a half-size oval inside showing passwords meeting complexity requirements.

On top of this, complexity rules don’t meaningfully improve security, because humans are predictable. Analyzing patterns in cracked passwords shows that when people are required to follow the three-of-four rule (“you must use at least three of the following: uppercase, lowercase, numbers, special characters”), the most popular pattern is one uppercase letter followed by several lowercase letters, then two to four digits (“Spring2024” or “Qwerty123”). When faced with the four-of-four rule they just add a special character to the end, usually “!” (“Qwerty123!”). See Password patterns for more on predictability.

Restrictions merely create a stronger blueprint for predictable passwords.

Remember, the goal is to thwart an attacker who knows all about commonly used passwords and patterns and so-called “complexity”. The trick is to exceed the attacker's crack time threshold, and the best way to do that is with long passwords. In the password guessing game table above, you can see how each time you make a password one character longer it increases guessing time by days, then years, then centuries. This is for random guesses, but the principle holds true for smart guesses. In general, attackers give up after trying 8- to 10-character passwords. A 12-character password is very strong, and anything longer is even better.

Complexity, predictability, and strength

The never-ending quest for strong passwords has produced reams of research, questionable tips for password creation, and pointless password policies. The problems are:

1) Complexity is subjective.

2) Enforcing complexity with password rules doesn’t work.

3) Entropy can be measured in different and sometimes misleading ways.

4) Entropy is a property of the password generation process, not a particular password.

The password “q1w2e3r4t5” looks more complex than “quadcopter5” so it should be a stronger password, right? But “q1w2e3r4t5” is the 19th most common password on Troy Hunt’s top 100,000 password list, whereas “quadcopter5” doesn’t even appear in Troy's list or even in the Weakpass list of two billion words and passwords. The superficially complex “1qaz!qaz” is on the list of known passwords, since it’s a predictable keyboard pattern. Humans are bad at estimating complexity.

The problem with creating “complexity” by using tricks such as substituting numbers for letters, capitalizing random letters, reversing words, and so on, is that password cracking tools know all about these tricks, so they prioritize commonly substituted letters, common positions of special characters, predictable patterns, and so on. (See Password patterns.)

It’s true that adding a special character to a password can make it harder to crack. This is because special characters (other than the popular ones such as “!” and “.”) are less common in passwords, so they are guessed less by attackers. But forcing people to include a special character doesn’t help, because we follow predictable patterns. Watch Michael McIntyre’s hilarious video to see how comedians and password crackers understand the psychology of passwords.

Password requirements, or composition rules, that require numbers and special characters are a misguided attempt to keep users from using bad passwords such as “12345678,” “password,” and “qwertyuiop,” which are so common that attackers try them first. These password policies are intended to enforce complexity. But the 19th-worst password on NordPass’s 2024 list was “P@ssw0rd.” Making a bad password “complex” didn’t help. Rules just create a framework for more predictability.

The essential goal for a password is to be unguessable or unpredictable. Entropy estimates unpredictability. Digging further into information theory, the Shannon entropy of a sequence of values is defined as H(X) = -Σ p(x) log₂p(x), where p(x) is the probability of each value of X, and H ranges from 0 (no change in information, so zero entropy) to 1 (maximum entropy, which indicates least probability). However, the typical measure of password entropy calculates something a bit different: bits of entropy, defined as E = log₂(RL) or the equivalent E = L×log₂(R), where R is the range of possible characters (e.g., 95 ASCII printable characters) and L is the length of the password. Because E is the number of bits, which have only two values (0 and 1), we can use this formula to say that a brute-force attack would require 2E-1 guesses. (Note that you often see 2E, which measures the worst case, but on average a random value is found after half the guesses: 2E÷2 = 2E-1.)

The E = log₂(RL) formula is a simplification that removes p(x) to make the probability of each character the same (e.g., 1 in 95). Of course the actual probabilities are extremely varied in passwords. Common English lowercase letters such as a, e, and i and the numbers 1, 2, and 0 typically have a much higher probability.

To be precise, you can’t measure the entropy of given password. Entropy measures uncertainty, so if you know the password there's no uncertainty to measure. All you can do with a single password is infer the entropy of the relevant password space (the typical set of characters that the password could be made from). For example, the password abcdefghi implies a lowercase character set and a length of nine (42 bits of entropy). The password {\~[|{&* implies 32 special characters and a length of eight (40 bits of entropy). Do you see the problem? Which of these two passwords is more probable?

This is why typical password entropy calculators are misleading. For example, they might tell you that n1*rbA.Q or Wood123! score 52 bits of entropy, so they are “stronger” than !)%^#*}\ or {{{{|||||, which score only 45. But the second two passwords are significantly stronger because a) they have less-probable characters, and b) they have nine characters instead of eight, making them at least 95 times harder to guess in an exhaustive search. (Not to mention that Wood123! will be guessed much sooner because it uses a word and common password patterns.) The second two passwords are extremely improbable, so a simplistic measure of entropy fails to characterize their predictability. The zxcvbn algorithm, which checks more than entropy, does better but still botches the last one. This is not to say that good password strength meters are useless, since they tend to nudge users away from short or common passwords, but there are better options such as simply checking a list of breached passwords (see 6.1). See No Single Silver Bullet: Measuring the Accuracy of Password Strength Meters for further analysis.

Increasing length (L) is more important than expanding range (R). This is especially true because of the prescient attacker fallacy discussed earlier. A password strength meter that concludes “good, you used a number in your password, so you’ve increased the range by 10” is absurd, since the attacker doesn’t know what’s in your password or how long it is.

A strong password is one that won’t be guessed by a search that prioritizes frequently used passwords, characters, words, and patterns. Attackers, particularly the authors of password cracking tools, have analyzed millions of exposed passwords, so they probably have the world’s best understanding of the probabilities of characters and patterns in passwords. They even use Markov models, built from leaked password lists, to generate password guesses in order of predictability. Measuring bits of entropy doesn’t take any of this into account.

All this leads to a few conclusions:

1) The most meaningful measure of “complexity” for passwords is “difficulty to crack.”

2) “Difficult to crack” means unpredictable — not matching typical passwords or patterns.

3) Bits of entropy is a useless and misleading measure of password strength.

4) Entropy is more accurately calculated in other ways, such as by assigning a probability to each character (e.g., with Markov models) or associating probabilities with parts of passwords (with something like PCFG).

Clearly, the strongest passwords of a given length would contain only symbols, but those are the hardest to remember, and in any case most websites won’t let you enter all symbols.

It all comes back to the core point about length. You can spend time coming up with a slightly better password by fiddling with numbers and symbols, or you can just make it a few characters longer and it will be much stronger. Or you can use a password manager that will generate long, unpredictable passwords and remember them for you.

3 Password guidelines for users

3.1 There are only three important guidelines:

1) Make it long. Make it as long as you reasonably can, partly depending on how often you’ll need to remember it and type it in, but at least 12 characters long. If it helps, use the National Cyber Security Centre’s approach and make a passphrase from three random words you’ll remember.

2) Make it unique. Don’t use a password on one of the common password lists. Attackers use a technique called password spraying, where they get leaked usernames and try them with common passwords. Check password uniqueness at Have I Been Pwned.

3) Don’t reuse it. Don’t use the same password for more than one important account. Attackers use a technique called credential stuffing, where they take your username and password stolen from one site and try it on hundreds of other sites. Of course it’s hard to keep track of more than 150 passwords, which is the average. Some research suggests its beneficial to reuse passwords at low-value sites to reduce memory overload. Or you might want to use a core password with variations to help with this. Choose a strong (long) password and then add something to it that you’ll remember for each different website.

A password manager will automatically do all this for you.

3.2 Common additional tips (that aren’t as important):

1) Don’t include personal or familiar information such as a date, name, email address, city, etc. This helps with brute force attacks (which use dictionaries of words, names, cities, dates, etc.), and it might prevent someone who knows you or can see your social media pages from guessing your password.

2) Don’t include words in a short password, but feel free to use words in a long password, often called a passphrase. As pointed out by XKCD, the entropy of a long passphrase is vastly better than a typical password, and it’s easier to remember. However, password cracking tools prioritize guesses based on dictionary words, so if your password is less than 14 or so characters, don’t put words in it.

3) Use symbols, uppercase and lowercase letters, and numbers. You might need to do this because of draconian password rules at websites that don’t understand password security, but otherwise, using a variety of characters only makes your password a little bit stronger (see note above).

3.3 Ignore common but mostly useless guidelines:

1) Don’t “use leet substitution.” “Pa$$w0rd” or “@dm1n” is barely more secure than “password” or “admin.” Password cracking tools have already analyzed the leet patterns in compromised password lists and incorporated them into their algorithms. (See Leet Usage and Its Effect on Password Security).

2) Don’t “make your password complex” by reversing words (“drowssap”) using numbers or single letters for words (8 for “ate” or U for “you), random capitalization (“DroWssAp”), condensing phrases to initial letters (“Il2EgP” from “I like to eat green peas”), and so on. This faux complexity gives you a false sense of security.

3) There’s no need to “change your password regularly.” Unless you know that a security breach has exposed your password, don’t bother changing it. It just eats up your time and adds to your mental load. It takes less time to visit Have I Been Pwned to see if your password has been compromised, and only then change it.

4) Don’t diddle with “Diceware to generate passphrases.” Some people swear by Diceware, but are you going to remember a randomly generated set of strange words such as “dobbs bureau valeur flash ababa synod”? And are you going to roll a die thirty times whenever you need a new password? The underlying concept of random, six-word passphrases is great, giving an average password length of 30 characters from the Diceware word list, but the process is too cumbersome. Maybe for just your most critical accounts. Better yet, follow the National Cyber Security Centre’s advice and make a passphrase from three or more random words you’ll actually remember.

3.4 Padding

An interesting suggestion from Steve Gibson is to strengthen passwords by padding them with sets of characters that are easy to remember and easy to type. His example takes the incredibly weak password “D0g” and adds 21 periods. As he explains, “D0g.....................” is stronger than “PrXyc.N(n4k77#L!eVdAfp9” because it’s one character longer, making it approximately 95 times harder to guess. This is a good way to meet guideline #1 above: make it long. You can come up with your own variations such as “((((((password))))))”, “////pass////word////” (preferably without actual words), and so on.

3.5 (Un)security questions

Every expert agrees that security questions are a bad idea. Many accounts have been compromised through password recovery questions. Some answers are very popular (around 30 percent of people worldwide say blue is their favorite color and around 20 percent of Americans say pizza is their favorite food), questions and answers tend to be repeated across accounts, and unencrypted answers are often revealed in data breaches.

Someone targeting your account may be able to dig up enough information about you (your hometown, the street you grew up on, schools you attended, where you got married, etc.) to answer recovery questions. Pew Research shows that 37 percent of Americans have never moved from their hometown.

If security questions are optional, leave them blank. If you are forced to answer them, obfuscate your answers and make them different for each website. For example, even if your “favorite food” is pizza, you could answer “pizpizPayP” for PayPal and “pizpizBoA” for Bank of America. (Not that these specific services are foolish enough to use secret questions, but you get the point.) Some services require multiple questions and don’t let you use the same answer, so you could answer “MyMotherIsACar_drycln_school,” “MyMotherIsACar_drycln_pet,” “MyMotherIsACar_drycln_job” for questions that your dry cleaner’s website asks about your high school, pet, and first job. (See NordVPN’s Which security questions are good and bad? for more suggestions, keeping mind that all security questions are bad.)

3.6 Writing down passwords

It's fine (really!) to write your passwords down, just keep the list secure, such as in a locked drawer or secret location. If recording your passwords makes it easier for you to remember long, strong ones, then by all means do it. Or use a password manager. Just don’t write them on sticky notes scattered around your desk.

If you keep the list on a computer or phone, make sure it’s protected by a unique and extra-long password. There are various ways to protect a list on your computer or phone. Apple Notes and Windows OneNote let you password-protect a note. You can keep a file safely in Apple iCloud, but make sure your AppleID password is very strong. A password-protected Zip file works almost anywhere. Microsoft OneDrive includes a "personal vault" to securely store files. The Apple Disk Utility lets you create a password-protected disk image. In Windows Pro you can encrypt a folder.

On the “we’d rather not think about this but it’s practical” side, someday you will die, and your loved ones may desperately need to access your important bank accounts, brokerage accounts, cryptocurrency keys, etc. so it’s a good idea to give your list of passwords to a trusted person or two.

4 Supplements and alternatives to passwords

Security experts all agree that passwords are not secure. If everyone created very strong passwords and remembered them, it wouldn’t be so bad, but we know most people are bad at coming up with good passwords. Passwords are based on a person remembering a secret, but the more secure a password is, the harder it is to remember it. Passwords can be shared, guessed, stolen, and cracked. Computers get faster every year, making it easier to crack passwords. Quantum computing is just around the corner, and it will make password cracking exponentially easier. The only way services you log into can check your password is by storing a scrambled version of your password, and although there are robust techniques to protect password data, too many services don’t guard them properly. Last but not least, passwords are a pain to type in, although password managers help with this.

There are various approaches and industry initiatives to move beyond passwords with more secure alternatives, but they all have drawbacks when compared to the simplicity of storing passwords in your brain. Most alternatives rely on a physical device (such as a computer to respond to an email or a mobile phone to check your fingerprint), so if the device is not available or not working, you’re either locked out or you have to use a workaround.

Some approaches add a second layer of security on top of a password. Because there are two or more factors, the password and an additional step or two, this is called multi-factor authentication (MFA).

Another approach is passwordless authentication. Some methods are kludgy, like e-mail based “magic links,” and other methods such as such as passkeys are secure and starting to be embraced. Some passwordless authentication for websites has you respond to a prompt on your phone or tablet. Apple and Google have built this into their phones. Other companies such as credit card services use their own app. The biggest problem with this approach is that each implementation is proprietary, nothing is consistent, and you may not have the right app installed. Passkeys will probably replace and simplify this passwordless patchwork.

Passwords will likely never go away, but over time we’ll see new authentication techniques be more widely used.

The rest of this section covers the most common additions and replacements to passwords.

4.1 Password managers

A password manager is software that generates passwords for you and automatically enters them as needed, so you don’t have to remember them or type them. Most modern browsers have a built-in password manager to remember your existing passwords and to suggest new ones for you. Many people don’t realize that when they visit a website and their username and password are filled out for them, it’s the browser doing it, not the website.

Screenshots of Apple Safari and Google Chrome browsers asking to save a password.

Alternatively, dedicated password manager applications can be installed on computers and phones, can work across multiple browsers and devices, and can often store other information such as credit cards.

Advantages of password managers:

Strong passwords – Password managers create strong (long, unique, and unpredictable) passwords.
No memorization – You only need one, strong password for the password manager, which protects all your other passwords. You no longer have to reset passwords that you forgot.
Autofill – Your usernames and passwords are automatically typed for you.
Reduce error – No wrong password problems.
Phishing protection – Passwords are associated with only one URL, so if you are tricked onto a fake website, the password manager won’t enter your password for an attacker to steal.
Support for passkeys – Many password managers can manage your passkeys.
Breach notification – Some password managers have a service to notify you if your username or password is leaked in a data breach.
Secure storage – Passwords are strongly encrypted and protected with a master password and often a second factor.
One-time passwords – Some password managers can generate one-time passwords (OTPs) and autofill them.
Sharing – Some password managers allow you to securely share your password with someone using the same password manager. (Of course, this is only a good idea if the password is for a shared account.)
Info vault – Some password managers can securely store additional information such as credit cards, account numbers, answers to password recovery questions (which can be deliberately wrong to increase your security), personal information, and even files.
Corporate deployment – A few password managers allow an organization to centrally manage employee passwords.

Disadvantages of password managers:

Single point of failure – Password managers don’t store your master password for security reasons. You have to know it. Some give you a recovery method. If you lose your master password and recovery info, there is no way to recover your passwords.
Incompatibility – Password managers don’t work with many apps and devices (such as smart TVs), and might not work on some websites, in which case you must manually enter a very long and complicated password after looking it up in your password manager.
Unavailable on non-owned devices – If you want to use someone else’s computer or phone, or a public computer, your password manager is not there to log you in. If the password manager is available on another device you have with you, such as your phone, you can look up the password and type it in, but this is cumbersome and could expose you to a phishing attack.
Cost – Some are free, including those built into browsers, but the better ones require purchase or subscription.
Complicated – Some password managers may be a little tricky to learn and use.
Attackable – Password managers can be hacked, especially if your device is infected with malware. Breaches of encrypted password manager data in the cloud are unlikely but have happened (also see Password Managers Hacked: A Comprehensive Overview).
Loss of control – Your passwords are controlled by a company, not you. They’re usually stored in the cloud, where you have no control over their security. (There are a couple of password managers that give you control over your passwords.)
Legacy insecure passwords – Research shows that almost half the users of password managers don’t use the secure password generation feature, and instead load in their old, insecure passwords. This isn’t the fault of the password manager, but it creates a false sense of security.
Unavailability – If the password manager service can’t be reached, or the software fails, you might not be able to access your passwords.
Phishable – Password managers prevent phishing for site-specific passwords by refusing to enter them into the wrong website, although the auto-fill feature of some password managers has been fooled by hidden forms or iframes. However, you could be lured to a fake app or website that looks like your password manager, where you enter your master password and give the attacker access to all your passwords. (Which is why you should always use MFA or a passkey to protect your master password.) (See 5.3 for more on phishing.)
Password mismatch – Some websites may appear to accept a password but internally strip characters or truncate to a maximum length, so the generated password doesn’t work, and your next login attempt fails.

4.2 Multi-factor authentication

A factor is way of confirming your identity. The most common factor is a password. The three primary factors are:

Something you know (knowledge) – unique information such as a password, pin, or unlock pattern.
Something you have (possession) – a phone app, a text message, an email message, a USB key, or such.
Something you are (inherence) – a physical characteristic or biometric such as your fingerprint, face, retina, or voice.

Two additional factors are sometimes employed:

Somewhere you are (location) – at your home, in your car, at the office, or so on.
Something you do (behavior) – the rhythm of your typing (keystroke dynamics), the way you tend to move a mouse or interact with a touchscreen, or so on. Note that unlike biometrics, a behavioral factor is dynamic and can change over time.

Multi-factor authentication (MFA) means you are asked for two or more factors to provide extra security, like being required to provide a photo ID and a birth certificate when applying for a passport. The first factor is usually a password, but any combination of factors could be used. When there are two factors it’s often called two-factor authentication (2FA).

The obvious advantage of using MFA is improved security. MFA reduces the risk of account compromise by over 99 percent, even if your password is cracked and leaked. The obvious disadvantage is inconvenience. Studies indicate that around 60 percent of companies globally use MFA. The primary reason cited for not using MFA is inconvenience.

The strongest authentication factor is biometrics, measuring unique personal characteristics or behaviors that can’t be shared or mimicked. Biometrics are often the simplest, quickest, and least disruptive. You just look at a camera or touch a screen.

The second strongest factor is device possession, which obviously requires you to have a device, typically a phone.

Additional common authentication factors are:

Text message – see 4.3
Email – see 4.4
Phone call
Software authenticator – see 4.5
Hardware security key – see 4.6
Phone app (where you confirm to the service’s app that you’re trying to log in on a computer)

Part of the reason passkeys are so secure is they require device possession and often include biometrics. (See Are passkeys MFA? for more.)

2FA Directory helps you check what kinds of 2FA a website supports.

4.3 Text message authentication

Instead of entering a password, or as a second factor in addition to a password, you receive a text message at your verified mobile phone number with a one-time code that you type (or copy/paste) into the login screen. This is the most implemented second factor. It’s often called SMS authentication but can use any mobile messaging protocol such as SMS (Short Message Service), MMS (Multimedia Messaging Service), RCS (Rich Communication Services), or Apple iMessage.

Advantages of text-based authentication:

Fast delivery – text messages are usually delivered within seconds.
Widely available – over 90 percent of Internet users have a phone.
Relatively easy to use – you must check your phone and type or copy a code, but you don’t have to set up another authentication device.
Relatively simple for a service to implement.
Marketing potential – for a service, this creates an opportunity to get phone numbers.

Disadvantages of text-based authentication:

Vulnerable to phishing – a fraudulent party may try to get you to reveal the code.
Not fully secure – SMS and MMS text messages are not encrypted; however, the risk from SIM swapping is highly overrated, see note below.
Reliance on a mobile device and network – if you don’t have access to your phone, or you’re in a place where there is no mobile service, you may not be able to log in or may have to resort to a more roundabout method.
You may be uncomfortable giving out your phone number, which may be abused by the service
Some sensitive environments don’t allow mobile devices.

Is SMS insecure?

Every week, another consumer magazine or Internet blog has an article about the dangers of SMS multi-factor authentication. They warn you about SIM swapping or SIM hijacking, where an attacker convinces a support person at your mobile phone company to transfer your number to the attacker’s SIM (see 5.5.) The writers toss out scary statistics like “the FBI reported that SIM swapping increased more than 400 percent from 2018 to 2021” (without mentioning that it went down 33 percent in 2023).

Let’s look at this in context. In 2023, the FBI’s Internet Crime Complaint Center (IC3) received 1,075 reports of SIM swapping. This represents less than 0.2 percent of the 690,000 complaints the IC3 received about Internet crimes such as phishing/spoofing (43 percent), data breach (8 percent), and identity theft (3 percent). It also represents only 0.0003 percent of the 311 million mobile phones in the US. That’s one in 3 million. Even if only 20 percent of SIM swaps were reported, this means there’s a tiny one-in-64,000 chance (0.0016%) that you might be the victim of a SIM swap.

Note: SIM swapping works the same whether your have a physical SIM or an eSIM. An eSIM does prevent someone from taking the SIM out of your phone to put in theirs.

The articles also caution you that SMS text messages are not encrypted (although RCS and Apple iMessage texts are), so they could be intercepted without a SIM swap. But guess what? They’re almost never intercepted because it’s too much work for attackers to be near you with cell site simulators other approaches as they simultaneously initiate a 2FA login on your account. An attacker can try to trick you into installing malware) on your phone so they can peek at incoming SMS messages, but if you have malware on your phone, you have bigger problems.

Bottom line: The minor security risks of SMS are vastly outweighed by the improved security of using SMS as a second authentication factor. Don’t let FUD and media hype deter you from using SMS for multifactor authentication.

4.4 Email authentication

Instead of entering a password, or as a second factor in addition to a password, you receive a message sent to your verified email address. The email contains either a code (a sequence of letters and/or numbers) or a link (a web URL, sometimes called a “magic link”) with a code embedded in it. These are usually one-time codes, which means they expire after a short period of time, and once you use them, they don’t work again. (This is for security, so that if someone gets into your email they can’t log in to your accounts using old email messages.) When there’s a human-readable code, you type (or copy/paste) it into the login screen. When there’s a link, you click or tap on the link to log in.

Advantages of email-based authentication:

Widely available – Over 90 percent of the world uses email.
Resistant to phishing – when a link is used instead of a code. A fraudster on the phone can’t ask you to tell them the contents of the link, since it’s rather long. Although they could ask you to text or email it.
Relatively easy to use – You must open an email app but don’t need to have a phone or another authentication device.
More secure – One-time codes or links can’t be re-used. Can replace passwords, which could be cracked).
Reduces memory load – You don’t have to remember a password.
Customers may be more comfortable providing their email address than their phone number (e.g., for text-based authentication)
Inexpensive or free – Avoids the possible charge of receiving a text message.
Simple for a service to implement – Cheaper than sending text messages
Marketing potential (for the service, it creates an opportunity to get customers’ e-mail addresses)

Disadvantages of email-based authentication:

Vulnerable to phishing – when a code is used instead of a link, a fraudulent party can try to get you to check your email and share the code.
Low security – If an attacker compromises your email address, they can attempt to take over your accounts using email authentication.
Inconvenient – You have to check email. There may be a delay in receiving the email or it may get lost. You may have to switch between desktop and phone if you’re logging in on one device but get your email on a different device.
Can be mistaken for spam – You must take extra time checking your junk mail folder. Strong spam filters may block you from accessing the authentication email at all.
Relies on email – If you can’t access your email, you may not be able to log in or may have to resort to a more roundabout method.
Marketing – You are required to provide your email address, which may be abused by the service.

Note to developers

Email authentication is dreadful when implemented instead of password authentication. If you replace password login with “magic link” email login as the only option, you are forcing your customers —who might have very strong passwords— to do the following:

Switch to an email app, possibly on another device.
Wait for an email to appear (maybe for a short time; maybe for a long time; maybe until your customer realizes the email got lost and they have to start over).
Check the spam folder if the email doesn’t show up (perhaps read your instructions to add you to their “allow list,” which they probably don’t even understand).
Find the link in the email and select it, which opens a new browser window, leaving the first window abandoned.
Usually lose the flow of what they were doing (e.g., visiting a specific page of your website, following a notification to open your app, etc., especially if you don’t include a bookmark in your URL).

This creates so much friction that some customers will simply disengage. It provides a slight security increase in exchange for significant hassle. Don’t do it. If your boss or marketing people think you must have a shiny new magic link, at the very least offer password login as an alternative.

4.5 OTP software authenticators

A software authenticator app shows short codes that you type in as second login step. The code, usually six digits, is a time-based, one-time password (TOTP), which changes every 30 seconds or so. Many software authenticators run only on mobile phones or tablets, but the code can be typed in on a computer.

Screenshots of setting up OTP, an authenticator screen, and logging in using OTP.

There’s a one-time setup process, where the authenticator app talks to the service that you want to log into and receives a shared secret key, or seed, often via scanning a QR code. After that, the app displays the current authentication code for each registered service, based on the current time. When you log in to a service, you check the authenticator app and type the current authentication code. The service generates its own code based on the secret key and the current time. If the two codes match, then you are authenticated.

A software authenticator is sometimes called a soft token or a software-based code generator. Popular software authenticators include Apple Authenticator, Authy, Google Authenticator, Microsoft Authenticator, Duo Mobile, Aegis Authenticator, and 2FSA. Most password managers (see 4.1) have a built-in OTP authenticator.

Most software authenticators provide encrypted backups or exports that make it easy to move to a new phone or another device. However, some backups/exports can’t be moved between different types of devices, such as Android and iPhone.

Some software authenticators also support HOTP (hash-based message authentication code [HMAC]-based one-time password, commonly called event-based OTP), where the code changes each time there’s a new login instead of every 30 seconds or so. HOTP is not as common as TOTP.

Software authenticators are being superseded by passkeys, which don’t require looking up numbers and typing or copying/pasting them.

Advantages of software authenticators:

Secure – One-time passwords can be used only once, and time-based passwords change frequently, reducing the window of attack.
No Internet connection is needed – After the initial setup, the codes can be generated and used offline.
Simple – Setup is usually easy, often only requiring you to use the authenticator app to scan a QR code presented by the service. Entering a six-digit code is not too difficult.
Free for users to install.
Relatively inexpensive for implementers to support.

Disadvantages of software authenticators:

Vulnerable to phishing – Attackers can try to fool you into telling them the code or entering it into a malicious website.
Vulnerable to attack – The key is a shared secret stored in the authenticator and at the service. If the key is stolen from the service, or if your computer or phone is compromised or stolen, legitimate codes could be generated.
Third-party trust – TOTPs add another step between you and the service you’re logging into, requiring you to trust the third party to be secure.
Inconvenient – Requires you to open and use an application, usually on a mobile phone, and type or paste a code.
Additional point of failure – If the app doesn’t work or the phone is not available, you may not be able to log in, or you’ll have to use an alternative login. If you get a new phone and don't have a backup of your MFA accounts, you'll have to redo everything.
Could be prohibited – Some sensitive environments don’t allow mobile devices.

4.6 Hardware security keys

Note to readers: Unless your company requires you to use a hardware key, or you’re a security fanatic, you should skip this section. It gets rather complicated.

A hardware security key (alternatively called a hardware authenticator, hardware token, FIDO key, OATH key, OTP token, or hardware-based code generator) is a thumb-sized or credit card-sized device that stores cryptographic keys as part of a second login factor or in place of a password. In some cases, it’s a secure chip built into your phone or computer instead of an external device.

There are three main protocols used by hardware authenticators:

OATH (TOTP and/or HOTP) – The hardware equivalent of a (software authenticator, where the device generates one-time password (OTP), usually six digits. This is the least secure of the three. See 4.6.1 for details.
(Note: this is more precisely an OTP authenticator, which is different from a FIDO authenticator, which uses public/private keys.)
FIDO U2F/CTAP1 – A standard interface for connecting to compatible browsers and operating systems over USB, NFC, or Bluetooth to provide a second login factor using public/private keys. See 4.6.2 for details.
FIDO2 – A standard for passwordless authentication using passkeys that can be stored in a hardware security key. FIDO2 is the most secure of these three protocols. See 4.8 for more on passkeys.

Many hardware keys support all three protocols. Some hardware security keys support additional protocols such as PIV/FIPS 201 for smart cards, OpenPGP, and Yubico OTP, but these are less common and not currently covered here.

There are four common ways for hardware keys to connect:

USB – You plug the hardware key into a USB port on your computer or phone.
NFC – The hardware key uses wireless NFC (near-field communications; the same technology used for tap-to-pay) to send a login code to your phone, tablet, or (rarely) computer.
Bluetooth – The hardware key uses wireless Bluetooth to send a login code to your phone, tablet, or (rarely) computer. In some cases, your phone can act as a hardware security key using Bluetooth.
Display – The hardware key displays the one-time code on its built-in screen for you to type into the login page. This only applies to TOTP and HOTP.

Hardware security keys are becoming less common now that modern phones can use passkeys for more secure and passwordless login, except in cases where high security is needed.

Hardware security keys are often centrally deployed by large companies.

Common devices include the Yubico Security Key or YubiKey, Google Titan, Deepnet SafeKey or SafeID, HID Crescendo, Kensington VeriMark, Nitrokey, SoloKey, Feitian OTP, RSA SecurID, Symantex Vip, Thales eToken Pass, and Vasco Digipass Go.

Standards

OATH-TOTP and OATH-HOTP specifications for one-time passwords were defined by the Initiative for Open Authentication (OATH).

The FIDO2 group of specifications from the Fast Identity Online Alliance and the World Wide Web Consortium (W3C) defines a modern standard for passwordless authentication. It includes the Web Authentication (WebAuthn) specification from W3C and the Client to Authenticator Protocol (CTAP2) specification from the FIDO Alliance. (Note that there isn’t a single FIDO2 specification document.) Passkeys use FIDO2.

The older FIDO (or FIDO1) includes the Universal 2nd Factor (U2F) specification, which was renamed Client to Authenticator Protocol 1 (CTAP1) and superseded by CTAP2, although it’s still frequently called U2F.

See FIDO Authentication Guide: FIDO, Passkey, WebAuthn & Implementation Best Practices and The Ultimate Guide to FIDO2 and WebAuthn Terminology for more fun with specs and jargon.

4.6.1 OATH OTP hardware security key

An OATH hardware key (also called an OATH token, OTP token, or OTP generator) is the hardware equivalent of a software authenticator that generates one-time codes (OTPs), usually six digits, that you enter during the login process. The primary advantage of a hardware authenticator is that it’s more secure than a software authenticator, and a single hardware key can easily be used across multiple devices (laptop, phone, tablet, etc.).

Some OATH hardware keys show the code on a built-in display. Others don’t have a display, so they rely on authenticator software installed on your phone or computer to retrieve the codes from the hardware key and show them. Some authenticator apps can automatically type the code into a login page. Note: Don’t confuse a hardware key’s associated software authenticator with the software-only authenticator described in 4.5.

There are two OTP protocols: TOTP (time-based one-time password) and HOTP (hash-based message authentication code [HMAC]-based one-time password, commonly called event-based OTP). TOTP is more popular, although many hardware tokens support both.

There’s a one-time enrollment process, where you connect to a service’s website or app and choose the option to use an OATH TOTP or HOTP security key for authentication (or choose the generic “authenticator” option). You need to get the shared secret key or seed from the service, usually by scanning a QR code or by typing (or copying/pasting) the secret key that the service shows you. (Some hardware keys are preprogrammed with one or more seeds, so they must be specially configured.) You edit or type a name to identify the service (e.g., Google, Facebook, My Bank, etc.) so you can find the right OTP code later, if you use multiple services.

Once the device has the secret key, it feeds it into a cryptographic algorithm to generate a one-time code based on the current time (for TOTP) or the time that has elapsed since the enrollment process started (HOTP). You enter the code on the setup screen so the service can make sure it matches the code it generated from its own copy of the secret key.

From then on, each time you want to log in, you insert the hardware key (if it’s USB) or hold it near your computer or phone (if it’s NFC or Bluetooth) and perhaps tap a spot or press a button to see the current list of codes, each identified by the name you gave it. Some hardware keys have a fingerprint reader or a keypad to enter a PIN for added security, or the associated authenticator software may give you the option to add a password for the key.

4.6.2 FIDO U2F hardware security key

A U2F security key (or FIDO key or OTP token) plugs into a USB port on your computer or phone, or uses wireless NFC (near-field communication) or BLE (Bluetooth low energy) to respond to a login request by sending an encrypted message through your computer, phone, or tablet to the service you’re logging into.

There’s a one-time enrollment process, where you connect to service’s website or app and choose the option to use a security key for authentication. For a USB key, you’re prompted to plug it in and usually tap a spot or press a button on the device. For a wireless key (NFC or BLE), you may be prompted to tap it against your phone or computer and tap a spot or press a button on the key. Some hardware keys have a fingerprint reader or a keypad to enter a PIN for added security. You are usually prompted to enter a name for the service so you can select it later when logging in. A public/private key pair is generated, the private key is securely stored in the hardware key, and the public key is sent to the website or app. (See note for more.)

4.6.3 Advantages and disadvantages

General advantages of hardware security keys:

Physical factor - You have to possess the device to log in, reducing the risk of unauthorized use.
No Internet connection is needed – After the initial setup, the codes can be generated and used offline.
Simple to use, although enrollment can be confusing.
Many support all three protocols: OATH, FIDO U2F, and FIDO2 (passkeys).

Advantages of OATH (generating an OTP):

More secure than software authenticators, since the secret key (seed) is stored in tamper-resistant hardware that’s difficult to hack.
One-time passwords can only be used once, and time-based passwords change frequently, reducing the window of attack.

Advantages of FIDO U2F and FIDO2 (using USB, NFC, or Bluetooth to send code):

More secure than software authenticators, since they use private keys that are stored in tamper-resistant hardware that’s hard to hack, and the service only has the public key.
Immune to phishing – You don’t see the login code sent by the device, so you can’t be tricked into giving it out.

General disadvantages of hardware security keys:

Limited number of accounts – Some older or simpler hardware keys can only support one account. Others can store 10, 30, or more than 100.
Can only be used as a second login factor, not for passwordless login.
Can be lost or stolen – potentially allowing unauthorized access (if your password is also compromised) until the old device is revoked at every service.
Can break – Most are rugged, but they can be run over, dropped (especially bad if plugged into a laptop or phone that lands key side down), overheated, or just quit working.
Inconvenient – You have to carry a hardware device. USB-only versions must be plugged in. If the device doesn’t work or is not available, you may not be able to log in. If the device is lost or stolen, you must revoke it at every service and reregister with a new device.
USB-only keys don’t work with many phones.
Don't work everywhre – May not be supported by your computer or by the service doing the authentication. In some cases, you might need different hardware keys for different services.
Typically cost USD $20 to $95.
Deploying and managing devices for a large group of users can be complex and time-consuming.

Disadvantages of OATH (generating an OTP):

Hardware keys without a display require you to download and install software. The software interface can be confusing.
Vulnerable to phishing – An attacker can try to fool you into revealing the code (see 5.3).
Shared secret – The key is stored in the authenticator and at the service. If the key is stolen from the device (unlikely) or the service (more likely), legitimate codes can be generated.

4.7 Biometrics

Biometrics (“life measurements”) are a way to recognize a person based on their unique physical characteristics such as fingerprint, voice, iris, or behavior (e.g., unique patterns in the way they type, speak, walk, move a mouse, and so on.) For authentication, biometrics are the “something you are” or “something you do” factor.

In general, especially with modern mobile phones, biometric authentication using fingerprint or face recognition is more secure than a password. Because biometrics are typically a very secure factor, they’re sometimes used alone, without a second factor.

In almost all cases, part of what makes biometrics secure is that your biometric data is not shared or sent anywhere, or even stored in the device. The fingerprint image or face scan is transformed into a simple but still unique value, typically by hashing, which can be easily checked by the local device. The device then authorizes unlocking or sending an authentication key to the service you’re logging into. (See 4.8 for how this works with passkeys.)

Consider the keys to strength from section 2. A biometric hash is long (usually 32 bytes) and therefore hard to guess, it’s unique (it only matches you), it can’t be reused or stolen from a service (since it’s stored only on your device). On top of that, it’s resistant to phishing (you can’t tell it to someone or enter it into a fake website).

Tech noteSimple biometric implementations such as a single-lens camera are not very secure, as they can be fooled by a picture. Fingerprint sensors are relatively secure, but suffer from problems such as moisture, dirt, scars, gloves, and people with smooth fingerprint ridges (like Jim’s wife and former mafia members). More sophisticated face ID systems such as those from Apple and Google use multiple cameras, near-infrared emitters, liveness detection (making sure your eyes are moving, blinking, etc.), and other techniques to make them reliable and secure.

Still, biometric devices can sometimes be tricked. Law enforcement may force you to unlock with your face or fingerprint. And there's a grain of truth in TV scenes where a dead face or a severed finger is used.

4.8 Passkeys

In a future utopia, we’ll use passkeys everywhere instead of passwords and other login mechanisms. A passkey is essentially a secret code, securely stored on your phone or computer, that logs you into a website or app. When you’re presented with the option to “use a passkey,” you (usually) don’t need to enter a username or password — you just take the usual step to unlock your device with your fingerprint, face, PIN, or pattern. If your passkeys are stored on your phone but you’re logging into a website or app on your computer, you confirm on your phone, wirelessly or by scanning a barcode, and your phone tells your computer to let you in.

Diagram: Sign in with your passkey. Three options: "This device," "Pixel," "iPhone, iPad, or Android device"

Passkeys were developed around 2018, and began to be adopted in 2022, in an attempt to deal with all the password problems discussed above: weak and predictable passwords, password reuse, breaches of stored passwords, human error, phishing attacks, overload from dealing with too many passwords, and so on.

The important difference with passkeys is that you never know them: you don’t think them up, you don’t have to remember them, and you don’t type them. Instead, you use software or hardware that manages the passkeys for you.

A passkey involves two factors — a device and an unlock step, so they can be used instead of passwords and second authentication factors such as a text message or email. (See Are passkeys MFA?)

Passkeys are more secure than passwords and most other login methods, and in some cases they’re simpler and faster, but unfortunately many passkey implementations are complex and confusing (see Passkeys Remystified - coming soon). Many websites and apps don’t support passkeys. Poorly implemented applications may use a passkey and still require a password. Password-free utopia is still many years away.

Passkeys use the more modern approach of public/private encryption in place of the less-secure shared-secret approach used by passwords and OTP authenticators (see 4.5 and 4.6). In simple terms, when you first set up a passkey to log in to a service, your device generates a private key that it keeps and a public key that it gives to the service. After that, when you want to log in, the service doesn’t ask for your username and password, instead it sends a message to your device asking it to authenticate that it’s you. Your device checks that it actually is you (scans your fingerprint or your smiling face, requires you to enter your unlock pattern, etc.), then signs the message (by encrypting it with the private key) and sends it back to the service, which verifies the signed message (by checking that your public key correctly decrypts the message), which proves it’s you trying to log in. Since the private key is never sent to service, it can’t be stolen. You don’t know the private key, so you can’t mistakenly give it to someone who’s pretending to be a legitimate service (i.e., you are invulnerable to phishing attacks). And it’s almost impossible to guess. (Using only 1024 bits results in more possible keys than there are atoms in the universe. In fact, if you squared the number of atoms in the universe, resulting in a mind-bogglingly huge number with over 150 zeros, it would still be way smaller than the number of possible keys.)

Public/private keys

Imagine you’re a kid and you want to join a secret club with other kids. The club originally used a secret knock for getting into the clubhouse, but somebody spilled the beans and non-members were getting in. (It’s a large club, so members don’t all know each other.) A few of the brainy kids came up with a new system. To be initiated, you visit the club captain, who directs you to a bin holding pairs of pens and flashlights and tells you to reach in and pull out a pair. Each pen writes in a specific invisible ink, and each corresponding flashlight reveals only that specific ink. The captain tells you to hold on to the pen, which will be your access to the club, and to keep it private and secret; never let anyone else have it. You give the flashlight to the captain, who puts it into a cubbyhole in the wall and writes your name on it.

From then on, each time you visit the clubhouse, you request entry by telling the doorkeeper your name. The doorkeeper writes a message on a piece of paper and slides it through a slot in the door. You use your invisible-ink pen to scribble something over the top of the message and slide the paper back through the slot. (It doesn’t matter what the message is, as long as it’s something unique the doorkeeper will recognize a few minutes later—perhaps the word of the day or the date and time. This ensures that someone can’t come along later and re-use an earlier paper. It also doesn’t matter what you write. It could be your signature or a cartoon of your dog. The important thing is that you have added your unique ink to the message.) The doorkeeper retrieves your flashlight from your cubby and shines it on the paper, which makes your writing appear on top of his message. Since your flashlight is the only one that can reveal your secret ink, you have proved that you’re a member.

In this analogy the pen is your private key, and the flashlight is your public key. It’s “public” because it’s in a cubbyhole in the club where anyone could take it, but it wouldn’t do them any good since it only works with your ink. If someone came to the clubhouse door pretending to be you, they wouldn’t have your pen, so even if they wrote a message with different invisible ink, it wouldn’t show up under your flashlight. If you lost your pen or someone stole it, you’d have to go back to the club captain and get a new pen and flashlight.

Why is this a good approach? It’s better than a secret knock or your own secret password, which could be overheard, stolen from the list at the club, or perhaps guessed. The key difference is that to verify a secret knock or password, the doorkeeper has to know it, but with a public/private key pair, no one ever knows your private key. This approach also has other valuable uses, such as sending secure messages. This is done by reversing the process to have a set of public pens and private flashlights (instead of private pens and public flashlights), so a club member can write a private message for your eyes only by using the (public) invisible-ink pen from your cubby. They can leave the message anywhere since you are the only one able to reveal the ink with your (private) flashlight. Again, the important difference from traditional encrypted messaging is that the sender doesn’t need your private key to encode the message. Because only you have the private key, it’s impossible for anyone (other than you) to compromise it.

This approach is called public key cryptography, or public key infrastructure (PKI, which more precisely refers to the tools and techniques used to implement public key cryptography). A message can be made secret by encrypting it with a public key so that only the party with the corresponding private key can decrypt and read it. Conversely, authentication (verifying that someone is who they say they are or have certain permissions) is accomplished by encrypting, or signing, an arbitrary message with a private key (which only the authorized signer has) so that only the corresponding public key can decrypt the message, allowing anyone with the public key to verify it.

Importantly, public/private keys give you control of your security. If a service does a bad job of protecting your password, you can be compromised through no fault of your own. But since a service only ever has your public key, then regardless of what it does with your public key, your private key is still safe.

Diagram showing the steps of registering and logging in with public/private keys, compared to the club analogy.

Passkeys (specifically the private key and additional information such as the account and website that it’s associated with) must be managed by an authenticator, which is hardware or software that verifies the user before signing a login request with the private key. The authenticator can live in different places:

On your computer or phone, managed by the operating system (OS)
In your browser, managed by the browser’s password manager
In a standalone password manager
In a FIDO2 hardware security key (see 4.6)

Sync or stay home

A passkey can be created in one of two flavors:

Synced or syncable passkey – stored securely in a syncable authenticator and shared across multiple devices (mobile phones, tablets, computers, hardware security keys, and such). It can usually be recovered if a device is lost. It can be shared in two ways:
- Using a cloud service such as Apple iCloud, Google Password Manager, Microsoft Account, or a password manager.
- Directly exchanged using QR codes to connect and Bluetooth to ensure physical proximity, aka FIDO Cross-Device Authentication (CDA).
Device-bound passkey – locked to and used only on a single device. Device-bound passkeys are more secure, since they can never leave the device they were created on and bound to. It can’t be recovered if the device is lost.

Most passkeys are synced, which makes them simpler to use. Some environments may require device-bound passkeys for security (e.g., an AAL3 rating). However, most current implementations don’t give you a choice. Saving a passkey to a hardware security key (see 4.6) may make it device-bound, but hardware security keys can also be synced, so you may need to look into the details of the specific implementation you want to use. Since device-bound keys are not recoverable if lost, be sure to have backup credentials for login.

When you first create a passkey, you’ll probably see several options for where to save it. You might have to select “Other ways to sign in,” “Try another way,” or a similar option to see them all. Your choice of where to keep your passkeys depends on what devices you have and how you use them.

If you use the same browser on multiple devices, such as Google Chrome on a PC and a phone, it’s best to keep your passkeys in the browser, since it will synch them to the browser on each device. If you use all Apple devices, such as a Mac and an iPhone, it’s best to keep your passkeys in iCloud Keychain, which will sync them to all your devices to be managed in the Passwords app. Windows 11 can sync passkeys to other Windows 11 PCs (as of fall 2024). Windows 10 can use passkeys but can’t (yet) sync them. If you mostly use a Windows computer and don’t use a phone much, it’s simpler to keep your passkeys in Windows so you don’t have to pull out your phone every time you log in to a website on your computer. If there are some websites or apps that you only use on your phone, you’ll want to keep passkeys for those websites/apps on your phone. If you use a standalone password manager on all your devices, you can keep your passkeys there, since most will sync passkeys across devices.

When you visit a website on your computer and log in with a passkey on your phone, you may be asked if you want to create a passkey on your computer. If you do, a new passkey is created, allowing you to log in on your computer without needing your phone. You’ll then have two separate passkeys for a single website.

The same passkey can’t be used at more than one service. This is by design, so that a passkey can’t be used to track you across multiple websites and services.

Learn more about using passkeys with:

Microsoft Windows
Apple Mac and iPhone and iPad
Google Chrome browser
Password managers: 1Password, Bitwarden, Dashlane, Keeper, LastPass, NordPass, Proton Pass, Roboform
Hardware security keys: Yubico, Google Titan, Thales

Are passkeys MFA?

Usually. Some people argue that passkeys are only single-factor authentication, but they seem to confuse the passkey credential (the public/private key pair) with the passkey authentication process (defined by FIDO2, see Standards above).

The passkey’s private key is typically not considered a factor. Instead, it and the device it’s stored on collectively represent the first factor (“something you have” — see 4.2 for more on factors). The private key can only be used from a device, which must use a FIDO authenticator to verify your presence and obtain your consent (see WebAuthn 7.2 step 16 and 6.3.3 step 7). The second factor is usually a biometric scan ("something you are”) or passcode/PIN (“something you know”). The specifications call this user verification. It’s up to the service you’re logging into (called the relying party) to make user verification “preferred,” “required,” or “discouraged.” If user verification is required, then the authentication is multi-factor. If user verification is preferred or discouraged, then the authentication may be single-factor, although some on-device passkey implementations still require user verification, and in any case the device previously required a biometric or PIN after being turned on or unlocked, so it could be considered "prior second factor."

In cases where corporate or government regulations mandate multi-factor authentication, the website or app requesting passkey authentication can require user verification, ensuring that the obligation is met.

A separate school of thought maintains that the private key and the device are each a factor. A device without a passkey can’t authenticate, and a passkey without a device can’t authenticate, ergo they must be independent factors. From this point of view a passkey is always MFA, and the biometric or PIN verification is a third factor.

(Note that some people refer to the passkey as a “something you know” factor. This is incorrect. Few people go around memorizing 32-byte NIST P-256 elliptic curve keys.)

Some people think MFA must occur across multiple steps, but passkeys combine multiple factors into a single step.

Passkeys can be synced across multiple devices, but again, they can only be used from a device with an authenticator, so the device is always a factor. Passkeys can be used from a password manager, but it must contain (or talk to) an authenticator.

Most services provide a fallback mechanism in case you lose your device. They should be multi-factor, but badly implemented fallbacks may only be single-factor. However, that’s independent of the passkey.

How secure are passkeys, really?

Passkeys are based on public/private key encryption, which is highly secure. On devices, the private keys are usually stored in very secure hardware trusted platform modules (TPMs). In browsers and password managers, the private keys are encrypted and usually require biometrics or a PIN to access. Cloud sync services encrypt and securely store the private keys, often using a hardware security module (HSM). These all use strong encryption, not just hashing like passwords, so even if the data were breached it would be very difficult to crack. Only the public keys are stored by the service, so even if they suffer a data breach, the public keys are useless.

Are passkeys one-hundred percent secure? No. You must trust Apple, Google, Microsoft, password managers, and others to get it right. We know they don't always. And the fallback method might be less secure than the passkey, and it could be susceptible to social engineering. And, as is often the case, there may be security weaknesses “at the edges” of the passkey implementation that allows an attacker to get around it. Nevertheless, passkeys are orders of magnitudes more secure than passwords, "magic link" emails, and other authentication methods.

Passkey Standards

“Passkey” is the friendly name for a set of standard specifications developed by the Fast Identity Online Alliance, and W3C under the FIDO2 name (see Standards note above). A key component is a FIDO authenticator (also called a WebAuthn authenticator or CTAP2 authenticator), which is software or hardware that stores, manages, and verifies cryptographic authentication keys and associated biometrics. There are two types of authenticators: a roaming (or external) authenticator, such as a hardware security key (see 4.6.2), and a platform (or internal) authenticator, such as Apple’s Touch ID and Face ID, Android fingerprint or face recognition, or Windows Hello face or fingerprint recognition. Note that fingerprint recognition in a mobile phone is an internal authenticator when used to log in to a website or app on the phone, but an external authenticator when used to log into another device such as a computer.

The FIDO Client to Authenticator Protocol version 2 (CTAP2) specification defines how authenticators work and how they talk to a client, such as a browser, an OS, or an app, using USB Human Interface Device (USB HID), Near Field Communication (NFC), and Bluetooth Low Energy Technology (BLE). CTAP2 includes FIDO Cross-Device Authentication (CDA) for the exchange of synced passkeys between devices.

The W3C WebAuthn specification also (somewhat redundantly) defines how an authenticator works and lays out the JavaScript framework that a website or app uses to talk to an authenticator.

Note that the older FIDO Universal Second Factor (U2F) specification was renamed as the Client to Authenticator Protocol version 1 (CTAP1), and is only use for hardware security keys (see 4.6).

Advantages of passkeys:

More secure – Every passkey is unique and random. No one can guess your passkey or trick you into giving it to them (phishing). If a service is breached, your public key doesn’t do the attacker any good. Passkeys can’t be stolen when a service is breached. Passkeys can’t be intercepted by malware on your device or by someone tapping into your Internet connection.
Simple, faster login – Potentially. Although there’s an extra setup step, and you may need your phone or other device to log in on your computer, the login process can be simple, since you don’t need to enter a username or password (and type it again when you get it wrong). Unfortunately, passkeys often don’t work as smoothly as they should. (See Passkeys Remystified - coming soon).
Unforgettable – Since you don’t memorize passkeys, you never need to reset your password.
Interoperable – Passkeys are (theoretically) sharable across all your devices, but as of 2025 there are still many problems.
For implementers, less work and lower cost than using factors such as text message or email authentication (but only if you exclusively support passkeys for login).

Disadvantages of passkeys:

Can be inconvenient – Although passkeys are ostensibly simple, you usually must confirm with a biometric scan or a PIN, sometimes on a separate device. On the other hand, a password manager simply autofills your username and password so all you need to do is click or tap the login button.
Inconsistent user experience. Each browser, website, app, and OS presents passkeys in a different way, sometimes with different terminology, which can be confusing.
Device dependent – Passkeys may be tied to a specific device, such as a hardware security key or phone, requiring you to have it with you and unlock it.
Often don’t work on non-owned devices – It may be difficult or impossible to log in to a public computer or friend’s device using your passkey.
Not always available. Passkeys rely on support from the service you want to log into, and from phone and computer operating systems, browsers, or apps, so they don’t work everywhere you might want them to.
May lock you into a particular ecosystem (brand of browser or operating system). See Passkeys Remystified (coming soon).
Could be restricted – Passkeys can’t be used from mobile devices in a sensitive environment where the devices are prohibited.

4.9 Federated identity and social login

Federated identity is where a single service shares your identity (your login credentials and other information about you) to multiple organizations, services, and applications. For example, if you use your Amazon account to login to websites or apps for Amazon, Goodreads, and Wordpress, Amazon is serving as your identity provider to all these services.

Federation can function within a single organization, in which case it’s often called single sign-on (SSO). For example, a corporation’s employees may be able to log in to different company applications (email, customer management, payroll, etc.) using a single username and password. You can log into Microsoft Windows, Word, Excel, Outlook, OneDrive, SharePoint, Skype, etc. using a single username and password or a single passkey.

Social login (or social sign-on, social authentication, or third-party authentication) is where one organization serves as an identity provider for other organizations. When you are about to sign up with a new service and are given options such as “sign in with Google,” “connect with Facebook,” “continue with Apple,” or “sign up with Microsoft” as alternatives to “sign in with email,” these are social login identity providers. Instead of signing up for a new account with your own email and/or username, and coming up with a new, unique password (you always do this, right?), you allow the social network to provide your identity and other info to the service you’re signing up for. Social login is a form of identity federation.

Screenshot showing social login using Google, Apple, Facebook, Microsoft, LinkedIn, or email instead.

(Top social login providers, using their preferred logo, text, and button format.)

The biggest concern with using social login is that you cede more control of your digital identity and personal data to a single corporation. One whose goal is to make money off you. Instead of having isolated accounts at different services, you allow one business to aggregate and manage your identity. Social login makes it possible for multiple services to track you — and advertise to you. Social networks usually share information about you, including your name, birthday, picture, location, friends, and activities. Some social networks allow you to choose exactly what you share, others don’t. Apple gives you the option to have a random email address generated to hide your regular email address. Most give you a page to see what you’ve shared with whom. Here are the links to the sharing pages for Apple, Facebook, GitHub, Google, LinkedIn, Microsoft, and X/Twitter.

According analyses by login providers Okta and Descope, about one third of logins are social, with the most common being Google (by far), Apple, Microsoft, Facebook, Salesforce, GitHub, and LinkedIn. (Note that Microsoft owns GitHub and LinkedIn, but they operate as mostly independently identity providers, although, for example, LinkedIn may share data to enable personalized ads on Bing and other Microsoft services.)

A few federated identity providers are not social networks, such as Microsoft Azure AD and ID.me (used by government as well as healthcare organizations and consumer brands), but the functionality is similar.

Social login service providers such as auth0, Firebase, Okta/Auth0, OneAll, and OneLogin have APIs that make it easy for developers to offer social login for as many as 30 or 40 identity providers, although they recommend only presenting three or four to avoid a cluttered interface.

Advantages of social login for users:

Easier – No need to create a new account.
Faster – If you’re already logged in to the social network, you may just need to click a “continue with” button.
Less password overload. You don’t need to keep track of so many passwords.
Trust – You may trust the social network to keep your password and other information safe more than you trust the service you’re connecting to.
Social network integration – Some services feed fun or interesting data back into your social network account, help you connect to new friends, and so on.

Disadvantages of social login:

Less control – Your identity and personal data are managed by the social network, which may share it and allow you to be tracked. (See details above.)
Security weakness – Although social networks usually have robust security, some have had data breaches exposing millions of accounts. Individual accounts can also be hacked. If your social network account is hacked, it can potentially expose other services linked to it.
Blocked access – Social networks may be blocked in schools, workplaces, and even countries, making it impossible to log in from those places.
Where did I park my identity? – If you use social login from multiple networks, you may forget which one you chose for a particular website or app. This can be worse than forgetting your password if there’s no way to find out which one you used.
Downtime – If the social network is unavailable, you may be unable to log in at other services.
Login failure – The behind-the-scenes handshaking and credential passing is quite complex, and sometimes it fails, leaving you unable to log in.

Advantages of social login for implementers:

Trusted users – Most social media services attempt to confirm that their users are real and trustworthy.
Reduced tech support – Less need to worry about failed logins and forgotten passwords.
Free authentication – You can avoid the work of developing a login module and rely on social login, which presumably has good security, monitors for attempted attacks, and so on.
Data sharing – You may want access to the user information provided by the social network, or your model may benefit from feeding your users’ information into a social network.

Disadvantages of social login for implementers:

Confusing interface – Your login screen may be cluttered with too many options.
More complex implementation – You must implement the authentication process for each social network you select, unless you use a third-party signup/login portal that handles it all for you.
Reliance on a third party – You place functionality in someone else’s hands. You’re stuck with their password policy with no control over aspects such as MFA or passkeys, and they may change their policy. Their bugs and outages affect you, their API changes force you to update your code, they may suspend users, change their developer policies, and so on.

4.10 Decentralized identity

A fundamental concern with creating accounts at online services is that they control and define your “identity.” They often require you to give them personal information. Or, if there’s information you want to give them, you end up entering it over and over at every service. They put you at risk for security breaches and identity theft. Regardless of whether you login with passwords or passkeys, or use social login (see 4.9), the ultimate solution to these problems is something quite different.

Instead of establishing an account at every service you need, you manage your own identity and data, and you choose the services you want to share with. This is called decentralized identity or self-sovereign identity (SSI). Instead of Facebook, Google, Microsoft, Apple, your bank, your health providers, and others managing your data and your online identity, you manage your own. The vision is to create a standards-based decentralized identity system that gives users and organizations greater control over their data while achieving more trust and more security for apps, devices, and services. You no longer have multiple accounts and usernames with multiple passwords or passkeys, you have a single identity or persona. Or you might have multiple personas: one for business, one for friends and social networks, and maybe an anonymous one for shitposting.

The core components are a decentralized identifier (DID) and associated verifiable credentials (VCs) or attributes that prove who you are and attest to information about you, somewhat like a digital driver’s license or passport. Your identity and your credentials are cryptographically secured, stored on a blockchain, and accessed using a digital wallet. (See Blockchain Demystified for more information.)

You create and own your decentralized identifier, and you rely on authorities and other trusted organizations to issue credentials that can be securely verified by others.

The ideas of decentralized identity have been around for a while, but it still isn’t standardized or widely supported. It holds great promise, and someday I will create an entire Demystified section to cover it. In the meantime, here are sources of more information:

Decentralized Identity: The Ultimate Guide 2024

Decentralized Identity Foundation (DIF)

Microsoft Entra

Sovrin Foundation

The Global Identity Foundation

The Solid Project

Advantages of decentralized identity:

You’re the boss of yourself – You own and control your permanent digital identity with more privacy. You decide who has access to what personal data, and you can revoke that access at any time. (In theory, you can prevent your data being spread without your knowledge. In practice, you have to rely on services to not share your data and not store it insecurely so that it can be stolen.)
Decentralized – Your data is on your own devices or blockchain, and you selectively share it with others. There is no centralized repository or other owner of your data.
Private and secure – Your data is encrypted on a blockchain. Most requests can be satisfied with a question that doesn’t disclose details. E.g., “Are you older than 21?” “Are you a citizen of the UK?” “Is your credit rating better than 600”? “Are you eligible for financial aid?” (This type of request leverages zero-knowledge proofs or ZKPs.) Because you don’t disclose the details, they can’t be stolen or phished (see 5.3), which minimizes identity theft.
Fraud-proof – Your identity and attributes are verified by an authority, so they can’t be forged or lied about.
Limited demographic tracking. Because you only disclose what you want, online services, advertising services, and others can’t build profiles about you and track you as you browse websites and use apps.
Less risk (for organizations) – Companies can issue or verify fraud-proof credentials and documents instantly. They can reduce the risk of cyberattacks and the costs and legal risks of data breaches by storing less information about their users.

Disadvantages of decentralized identity:

It’s all on you – You are responsible for your own identity and security. Keeping track of personal data and permissions can be complex.
Too many platforms – Unless things become more consolidated, you may need multiple identity platforms and multiple wallets to manage different kinds of information.
Bad news for the bad guys – Decentralized identity could put thousands of .

5 How passwords are attacked

There are several ways someone can try to access your account or harvest your credentials. None of them are what you see in movies, where a nerd in a hoodie madly types guesses into a computer screen.

1) Password guessing – Repeatedly trying to log in with different passwords (explained in 5.1). This is sometimes called a brute force login attack, although variations such as credential stuffing (explained in 5.1.1) and password spraying (explained in 5.1.2) are more precise and effective, and therefore more common.

2)Offline cracking – Processing a data breach file to find passwords (explained in 5.2). If the stolen data was not protected, then no processing is needed, the usernames and passwords are just sitting there. Even when the passwords are protected by hashing, attackers use tools that know commonly used passwords and that understand the patterns we humans tend to use for passwords (explained in 5.2.1).

3) Social engineering – Fooling you or another person into providing access. You might get an email or text or see a social post or QR code that pretends to be from a real service or a trustworthy person, but links to a fake login page where the fraudster can steal your username and password (phishing, explained in 5.3). Or an attacker might call a service, pretend to be you, and convince the service representative to provide access to your account (impersonation, explained in 5.4) or to switch your phone number to the attacker’s phone so they can use your one-time login codes (SIM swapping, explained in 5.5).

4) Malware – Malicious software that tries to steal information stored on your phone or computer (aka spyware or infostealers) or that “watches” you type your username and password into websites and apps (keyloggers). Covered in 5.6.

5) Other less common methods, such as watching you type as you log in (shoulder surfing), finding your insecurely stored written passwords, stealing your phone or computer and attempting to hack it, intercepting login data sent over an insecure connection (man-in-the-middle or sniffing), or seeing a password foolishly sent over a public channel such as Slack or Microsoft Teams.

6) AI and neural networks – Research indicates AI can improve password guessing, both online and offline, although no mainstream password cracking tools have added AI as of the beginning of 2025.

The table below summarizes password attacks, how difficult they are to pull off, and how to defend yourself against them. Note that in some attacks, the strength of your password doesn't matter, but since you never know what might happen, you should use strong passwords for important accounts. See the references sections for detail about each type of attack.

Credential stuffing (5.1.1) Stolen usernames and passwords are tried at multiple websites.
Frequency	High. Tens of millions of accounts are probed every day.
Difficulty	Easy. An attacker can obtain a list of breached usernames and passwords for use with an off-the-shelf tool.
Defense	Don’t re-use a password for important accounts. Use strong passwords that won’t be cracked. Use a service to alert you if your account is breached.
Password spraying (5.1.2) Usernames and email addresses are combined with common passwords and tried at multiple websites.
Frequency	High. Tens of millions of accounts are probed every day.
Difficulty	Easy. An attacker can get a list of usernames for use with an off-the-shelf tool.
Defense	Never use common passwords. Use a service to alert you if your account is breached.
Data breach cracking (5.2) Passwords are extracted from a data breach file using cracking software.
Frequency	Medium, but it’s almost inevitable that one or more of your accounts will be exposed in a data breach.
Difficulty	Breaking into accounts is difficult, but anyone can obtain breached data and run it through a free cracking tool. Ease and speed of cracking depend on the password hash used by the breached service.
Defense	Use strong passwords. However, if the password data was unprotected, a strong password does no good.
Social engineering / phishing (5.3 and 5.4) Someone tries to trick you into revealing your password or other sensitive data.
Frequency	Very high. Billions of phishing emails are sent every day.
Difficulty	Easy. Attackers can obtain an email list and use an off-the-shelf phishing kit.
Defense	Educate yourself on phishing attacks and stay vigilant . Note: a strong password doesn’t help.
Malware (5.6) Malicious software on your phone or computer steals sensitive information from files or by monitoring your typing, emails, and texts.
Frequency	Medium. Roughly 30 percent of phishing emails contain malware, although many are blocked and only around 20 percent are opened.
Difficulty	Easy. Developing malware is tricky, but “malware as a service” makes it usable by anyone.
Defense	Don’t follow links or open attachments from unrecognized sources. Use anti-virus software. Use passkeys or multi-factor authentication. Note: a strong password doesn’t help.
Local discovery Someone watches you enter a password or finds an insecurely stored written password.
Frequency	Low.
Difficulty	Hard, unless someone is sloppy.
Defense	If you keep your passwords on paper, secure it. If you keep your passwords in a file, protect it with a strong password. Be aware when entering passwords.

5.1 Password guessing

A password guessing attack tries to access an account by repeatedly entering guesses on a login page. These attacks are usually online and automated, where software emulates a human and submits guesses on a website. There can be manual attacks, where someone visits a website and tries to log in as you, or someone has physical access to your phone or computer and attempts to log into an app, but this is rare.

Online brute force guessing has limited success, since most websites and apps limit the number of attempts before locking out the account or adding a (the little puzzle that asks you to prove you’re not a robot). However, an attacker who has gotten your email/username, and perhaps your password, from a data breach or other source can make login attempts over time and on multiple services, often without being detected or locked out. This is also called list cleaning or breach replay. Microsoft data shows there are over 4,000 attempted password attacks per second just on Microsoft accounts.

See credential stuffing and password spraying below for details.

5.1.1 Credential stuffing

Credential stuffing is an online attack that takes stolen usernames and passwords and “stuffs” them into the login pages of popular websites, looking for people who used their password more than once. Automated software runs through a list of thousands or millions of usernames and passwords, trying just one or two passwords for each username every so often, to avoid detection and lockout, and typically using multiple hijacked computers spread around the world (a botnet) to make it look like the attempts are not coming from the same place (a single IP address).

A famous example is the 23andMe data theft. An attacker used credential stuffing to break into 14,000 accounts. 23andMe has an optional feature to share information between relatives, which made additional information such as name, location, estimated ethnicity, birthplace, birth year, sex, and genetic and health data available to the attacker. The security of 23andMe itself was not compromised, but because 14,000 of their customers recycled passwords that had been compromised elsewhere, data from 6.9 million customers was compromised, almost half of their 14 million customers. In response, 23andMe required all their customers to reset their password, and added 2FA as login requirement.

To be safe from credential stuffing:

Don’t reuse passwords. If you already have, subscribe to a monitoring service such as Have I Been Pwned to be notified if one of your accounts is breached.
Use MFA if available. It also tips you off when someone is trying to break into your account.
Use passkeys when available.

5.1.2 Password spraying

Password spraying is an online attack that exploits the prevalence of weak passwords by combining the most frequently used passwords (such as Password1, 123456, qwerty, etc.) with lists of email addresses or usernames obtained from sources such as data breaches, user directories, or just educated guesses such as firstname.lastname@companyname.com. Automated software tries each username with all the passwords, targeting dozens or hundreds of popular websites, often using multiple hijacked computers spread around the world (a botnet) to make it look like the attempts are not coming from the same place.

Password spraying is even more effective when it uses only passwords that conform to the password policy of the target service and mixes target-specific information such as the user’s name, email address, and company name or products into the password.

To be safe from password spraying:

Don’t use weak or well-known passwords. See password patterns to avoid, or test your password at Have I Been Pwned or Weakpass.
Use MFA if available. It also tips you off when someone is trying to hack into your account.
Use passkeys when available.

5.2 Data breaches

A fundamental problem with passwords is that in order to log you in, a service has to be able to recognize that you entered the correct password, so they store it in a form that they can compare your input to. If an attacker breaks into the service’s system, they can steal password data.

Badly implemented services store unprotected passwords and other user information in a database or log. You’d think this would never happen, but it has. Facebook, Sony Pictures, Adobe, Equifax, Yahoo, Ancestry.com, Brazzers, YouPorn, Comcast, Neopets, and many others have suffered theft of unprotected passwords or security questions.

More careful services secure passwords by using a scrambling technique called a hash. But password hashes can be cracked, especially by powerful computer setups that use cracking tools to find the weakest passwords.

5.2.1 Cracking tools

Attackers use various software tools to extract passwords from a dump file stolen from a service. Dumps containing thousands or millions of usernames and passwords can be purchased on the dark web. Because processing happens offline (the cracker is crunching data on a computer system, not trying to log in online), there are no restrictions on the number of guesses or how quickly they can be made.

Services usually convert passwords to a hash to make them harder to crack if they are stolen. Password cracking (or hashcracking) tools attempt to get around this by using lists of known passwords and generating predictable passwords, each of which is hashed and compared with all the hashes in the dump file. If there’s a match, the password has been cracked.

Speed and effectiveness are limited by the strength of the hash function and by the processing speed of the cracking rig. Attackers can usually figure out which hash was used by looking at length, prefix, and other information or by trying different hashes on common passwords.

Making a hash of things

The standard way to protect passwords in the event they’re stolen is to hash them. Hashing is a technique for scrambling and condensing text into a short value, called a hash, hash value, hash code, or message digest. Hash values are typically 16 to 32 bytes. Hashing is a one-way function, meaning that the output can’t be used to get the original input back or even know how long the original text was. Good hash functions are collision resistant, which means two different inputs almost never produce the same hash value.

A hash value is like a fingerprint, which uniquely matches something more complex (a person). You can’t look at a fingerprint and know whose it is, but you can see if a fingerprint matches the known fingerprint of a person. This is how hashing applies to passwords. When you sign up for a service, only the hash of your password is stored along with your username and other info. When you log in, the password you enter is converted to a hash and checked to see if it matches the stored hash.

Diagram showing how passwords are hashed and salted for registration and login.

Hashing techniques have improved over time, partly in response to computers getting faster, and partly to make them more suitable for protecting passwords. Older hash functions from the 1990’s such as MD5, SHA-1, and the SHA-2 family (SHA-256, SHA-512, and others) were designed to be fast, for general purpose use. However, when an attacker is guessing passwords, hashing them, and comparing them to a stolen list of hashed passwords, you want to slow them down as much as possible, so a slow hash function that requires a lot of computer memory (RAM) is better. Newer hash functions such as Argon2 (created in 2015), scrypt (2009), PBKDF2 (2000), and even the aging bcrypt (1999) are much better for password protection (see 6.2 for more).

Nerd note: Hashing is not technically encryption, since encryption must be reversible in order to decrypt and read the original information. If you hash a secret message, no one will be able to read it. However, hashing is often colloquially called encryption, as it’s a cryptographic technique. Also, since we’re getting into the weeds, Argon2, scrypt, and PBKDF2 are key derivation functions, technically not hash functions, although they internally use hash functions. But we call them hash functions anyway.

Modern password protection adds salt to the hash. (Are you getting hungry?). This is to prevent cracking tools from speeding up the process with precomputed hashes (rainbow tables). For example, if you took the 100,000 most used passwords and used bcrypt to hash them, you’d have a set of hashes that you could quickly and repeatedly apply against any stolen list of passwords protected with bcrypt. But if a random value is added to each password before it’s hashed, this approach is foiled. Salts are stored with the hashed passwords in the database.

To stick with the diner motif, pepper can also be added. A pepper is a single value added to each salted and hashed passwords. The pepper is stored apart from the database of hashed passwords, making the hashes difficult to crack unless the pepper is also extracted from the code or (even harder) from hardware-based secure storage. To be clear, the pepper is a secret, the salts are not.

Note: If you’re trying to analyze how long it takes to crack passwords, comparing password cracking rigs to cryptocurrency mining rigs is too simplistic. Bitcoin uses SHA-256 and Ethereum uses Keccak-256. Both are fast and efficient, unlike password hash functions.

As discussed in section 2, an eight-character password made from the standard set of 95 characters has more than 6 quadrillion variations, and a twelve-character password has more than 540 sextillion. That’s a lot of passwords to guess, but even a standard desktop computer using the parallel processing power of an Nvidia GeForce RTX 4090 GPU (graphic processing unit) can crank through over 150 billion simple MD5 hashes per second. At that rate any six-character password hashed with MD5 can be cracked, on average, in less than three seconds, and an eight-character password in less than six hours. A newer, stronger hash, such as bcrypt, that takes longer to compute, slows this down to around 208 thousand hashes per second, or 19 days for a six-character password, but a more powerful cracking rig with twelve Nvidia cards can do it in less than two days. Unfortunately, too many services still use old hash functions (such as MD5 and SHA-1) that can be cracked quickly with modern hardware.

Table showing times to crack passwords of 6 to 14 characters long with a single RTX 4090 or 12 RTX 4090s.

To be clear, you should take this and all other “passwords can be cracked in seconds” reports with a grain of salt. If a strong password is on a list of compromised passwords, it can be cracked in seconds. If you use predictable patterns, your password can be cracked in minutes or hours. If a company’s data is never stolen, the passwords can never be cracked. If you’re infected with malware, the strongest password can be snatched as you type it. The best protection is to be aware of any new breach with your account or password in it. Use a notification service such as Have I Been Pwned, Google Security Checkup, Apple Password Monitoring, Microsoft Password Monitor, or others, such as in some password managers.

Well-known password cracking tools include hashcat and John the Ripper. They use various modes to attempt to discover hashed passwords:

1. Known password lists. These are compiled from previous data breaches and successful password cracking work. For example, the (in)famous original RockYou file contains 14,341,564 distinct passwords, used with 32,603,388 usernames. (Those numbers alone show that 56 percent of the passwords occurred more than once.)

2. Dictionaries (cracking lists). These are extensive lists of common words and names (personal names, place names, company names, pet names, fictional characters, etc.), often ordered by frequency of use in passwords. Dictionary lists may also include known passwords.

3. Brute force (exhaustive search). The software runs through permutations of characters, generating huge numbers of possible passwords. Dumb or incremental brute force that slogs through all variations (aaaaaa, aaaaab, aaaaac, etc.) is possible but rarely used, as there are optimizations with more likelihood of success:

o Markov models that prioritize the most likely passwords first. A simple Markov chain connects characters together according to the probabilities that one will follow another. A layered Markov model can include the probability of a character being in a certain position in the password. (This is hashcat’s default brute force mode.) Markov models are generated from lists of leaked passwords and can then be used to produce all the possible passwords of a given length, ordered by probability.

o Masks prioritize certain patterns such as all lowercase or all numbers (see note).

o Transformation or mangling rules modify dictionaries by varying uppercase and lowercase, doing leet substitutions, adding numbers or symbols, mixing words together, and so on.

4. Hybrid attack. Combining known or guessed information with any of first three modes. For example, if an attacker knows your birth year, the software can combine it with known passwords and dictionary words. (This also called associative attack.)

It should be obvious that when you’re trying to create a strong password, your first goal is to avoid it being found by the first two modes (make it unique) and your second goal is to prevent it being found by the remaining modes (make it long and unpredictable).

Password patterns

We humans are very predictable. If we’re told we must have a capital letter in our password, we usually stick it at the beginning. If we’re required to include a number, we usually put one or two at the end or insert a year. If we have to use a special character, we tack one on at the very end, and it’s usually “!”. Our passwords are usually eight characters long.

Other commonalities are keyboard patterns (“qwerty,” “asdfg”, “1qaz1qaz”), popular words and phrases (“love,” “gamer,” “summer”, “baseball”), and of course names.

An analysis and visualization of four-digit passwords/PINs shows the top five:

1234 (almost 9.0 percent!)

1111

0000

1342 (everybody thinks they’re clever)

1212

Over two thirds of passwords include a number. 1 is the most popular, used over 60 percent of the time, with 2 and 0 used over 30 percent of the time, and 9 and 3 used over 25 percent of the time.

Around 10 to 30 percent of leaked passwords are lowercase only, around 10 to 20 percent use only numbers, and around 30 to 40 percent contain only lowercase letters and numbers.

Less than 15 percent of passwords use special characters. When they are used, the top four are . _ ! - leaving } and | at the bottom as the “strongest” special characters. The exclamation mark is placed at the end over 50 percent of the time.

A heatmap of character positions in the top 500 million leaked passwords from a large compilation of breaches shows patterns such as “.” or “!” at the end, capital A at the beginning, and so on. See (coming soon) for more analysis.

Heatmap of character positions in passwords.

A heatmap of character positions in a composition of over a billion leaked passwords shows patterns for the four character types.

Heatmap of positions of four character types (lower, upper, digit, special) in passwords.

Password cracking tools are designed to exploit human predictability by prioritizing the most common patterns, or topologies, when doing brute-force guessing. For example, you can find “a set of prioritized hashcat masks intelligently developed from terabytes of password breach datasets and organized by run time” on GitHub.

An analysis of 2.9 million passwords at several Fortune 100 companies bears out the prevalence of consistent patterns in passwords (see chart below). When the minimum length for passwords was eight, the most common pattern was one uppercase letter followed by 6 lowercase letters and two digits (Aaaaaa11). When the minimum length was increased to nine, many users just added another lowercase letter (Aaaaaaa11). Note that this meets common “complexity” rules of at least one capital letter, at least one lowercase letter, and at least one number or special character. If a company required a symbol, similar patterns appeared, with a symbol added to the end. At company 1, the top five password patterns would crack 48 percent of all passwords. The top one hundred password patterns were used by 85 percent of all employees. At company 2, the top five patterns could crack 16 percent of all passwords. The top 100 patterns were used by 62 percent of all employees.

Company 1				Company 2
Pattern	Count	Length	Share	Pattern	Count	Length	Share
Aaaaaa11	33,458	8	12.7%	Aaaaaa11	19,200	8	4.6%
Aaaaaaa11	33,394	9	12.7%	Aaaaaa11!	17,914	9	4.3%
Aaaa1111	27,898	8	10.6%	Aaa1111!	14,025	8	3.3%
Aaaaaaaa11	19,190	10	7.3%	Aaaaaa1!	12,477	8	3.0%

An analysis of 193 million passwords by Kaspersky indicated that 28 percent of passwords mixed the four character types, 26 percent used only lowercase and digits, and 24 percent used uppercase, lowercase, and digits.

one of each character type	28%
lowercase and digits	26%
uppercase, lowercase, and digits	24%
lowercase, digits, and symbols	7%
numbers	6%
lowercase	6%

See Analysis & Insights from 10 Million Entries and Can Long Passwords Be Secure and Usable? for more on patterns.

In most new data breaches, over 60 percent of hashed passwords can often be found in previous data breaches (per haveibeenpwned posts). According to a 2023 analysis by Kaspersky, 59 percent of 193 million actual passwords could be cracked from a hashed password list in less than an hour using an off-the-shelf Nvidia GeForce RTX 4090 card. This is partly due to modern GPU processing power and partly due to list attacks and pattern attacks being disturbingly effective. The study found that 57 percent of the passwords included a dictionary word.

For more on password cracking, see Password Village, the hashcat FAQ, and the r/hacking tutorial.

5.3 Phishing

Phishing is a social engineering scam using fraudulent emails, websites, text messages, phone calls, or other communication in an attempt to trick you into revealing sensitive information such as usernames, passwords, and credit card details. The term probably evolved from phreaking (phone freaking), which referred to exploiting phone systems in the 1960’s and 70’s, combined with fishing. Over 20 percent of data breaches are a result of phishing.

Phishing typically has three phases:

1) Hook – An email, text message, QR code, social media chat, phone call, or other method to connect to potential victims.

2) Bait – The motivation to take the hook. This usually plays on human nature and emotions (see below).

3) Catch – The mechanism for divulging info or giving money: a fake website, a malicious attachment, a fake browser update, a person on the phone, fraudulent invoices or orders, or bogus PayPal or Venmo requests.

Email is the most-used hook. Over 95 percent of social engineering attacks use email. In 2024, scammers sent over 3.4 billion phishing emails each day.

Phishing relies on human fallibility and our inclination to trust. It manipulates your emotions to put you into a state where you aren’t as thoughtful and cautious as you normally might be:

Greed – there’s money, a reward, incredible purchase discounts, or an exclusive offer.
Urgency or panic – something is alleged to have happened to a family member or friend, you’re going to be fined or arrested if you don’t act immediately, your account has been suspended, there are fraudulent charges on your credit card, there’s a limited-time offer.
Fear – you’re told you have been infected with a virus, your company computers have been breached.
Curiosity – your package can’t be delivered, or there’s something amazing / disgusting / horrific / secret / whatever that you don’t want to miss.
Compassion – people need support after a natural disaster.
Trust – impersonating an authority or reputable organization, often a software security company to lend credence.
Guilt – you’ve missed a payment, or made a mistake that you need to fix, or someone knows about those inappropriate websites you visit.
Romance or friendship – someone befriends you, gains your confidence, then asks for money or personal information, or even tries to extort you.

Vishing, smishing, and quishing, oh my!

A gaggle of goofy names has sprouted to describe the various types of phishing, a bit like those collective nouns such as a pride of lions, an exalting of larks, and a melody of harpers that have been around since the 1400’s. The labels aren’t always used consistently, but they’re sometimes helpful in categorizing the diversity of phishings:

Email phishing – the classic, original (since AOL, 1995); sometimes called deception phishing when the email impersonates a recognized company or person.
Mass phishing – bulk emails or texts sent indiscriminately to thousands or millions of recipients.
Vishing – voice phishing via phone.
Smishing – SMS text phishing.
Quishing – a QR code that links to fraud site.
Spear phishing – targeting a specific individual, typically by gathering information about them.
Whaling – targeting a senior executive, who often has access to sensitive data.
Angler phishing – posts or direct messages on social media, including posing as customer support agents.
Pop-up phishing – a pop-up that falsely claims there’s a virus or a bug (scareware).
Email compromise – taking over a legitimate email address to send fraudulent links or documents; often called business email compromise (BEC).
Watering hole – focusing on a specific group of users or a site they visit.
Typosquatting – a URL that looks similar to a legitimate domain (e.g., g00gle.com or irs.gow).
URL shortening – using link shorteners like bit.ly to conceal the phony destination.
Clickjacking – tricking users into clicking on something they can’t see, often on a legitimate website, by hiding a real button or link under a fake one or putting an invisible button or link over a real one; sometimes called UI redressing.
Code phishing – tricking users into entering an authorization code for a separate device (like the code used to log into a smart TV app) that gives the attacker access to the account
HTTPS phishing – a seemingly secure link to a fake website (HTTPS is the secure, encrypted form of HTTP for visiting websites in browsers, but it doesn’t protect against phishing).
Pharming – malicious code installed on a phone or computer that connects to a fake website; also refers to hijacking a DNS (to direct browsers to the wrong domain).
Hidden links – invisible or disguised links in innocuous text or images.
Clone phishing – sending a copy of a message the recipient already received, but replacing authentic links or attachments with malicious versions.
Email bombing – sending a large amount of spam, then following up with an offer to “fix” the problem; sometimes called fatigue phishing.
Evil twin – a Wi-Fi network that looks real but has a fake login page or reads sensitive data sent over the network.
Search engine phishing – trying to get a high ranking on search engines for fraudulent websites.

Warning signs of phishing and what to do:

Unknown sender – Check the message carefully, and don’t open attachments or click or tap on links.
Request for sensitive info – your login information, credit card number, or other personal info. Don’t give this information to anyone who initiated the contact with you, even they claim it’s for “verification purposes.” Instead go to the official website or call the official number.
Request to share a login code or one-time password – Legitimate companies never ask for this.
Appeal to emotion – (See the list above.) Think twice about any email that triggers your emotions and then asks you do something.
False urgency or pressure – Be dubious about “last chance!” and “limited time!” offers.
Unusual payment methods – such as gift cards, cryptocurrency, or wiring money (e.g., Western Union).
Unexpected notification – of an order, a delivery, a payment request, and so on.
Undelivered mail notice in your inbox – Check the destination email address. If it’s not familiar, don’t open any attachments.
An email address or web link that doesn’t match the text or the sender – For example, apple@secure-services.com, fedex@pkgtracker.net, or an email that says it’s from Best Buy but has emilybronte@evilserver.ru as the return address. Check the sender and return address (both can be spoofed). On a computer, hover the mouse over links to see if they lead to suspicious or non-matching websites. Don’t click on suspicious links. Instead type the official company or organization name into your browser.
A message or call from a large organization contacting you personally about a virus, a software update, or something similar – Companies with thousands or millions of customers won’t call you directly, and they especially won’t ask for your password.
Misspellings and grammar errors – Messages from legitimate organizations are (usually) well written. Train yourself to look for incorrect company names and bad writing.
Odd language that’s inappropriately formal or informal – If something seems off, double check the message.
An email from yourself – Email senders can easily change the from: address in an attempt to trick you (called spoofing). Using your email address as the sender might fool you into thinking the message is legitimate, but it’s a sure sign of a scam. (Unless you did send an email to yourself.)
Deliberately similar URLs – For example, microsofts.com or googlmail.com. Check email addresses and web URLs carefully.
Substituted letters (homographs) in URLs – For example, none of the letters in “ηєţβαηĸ” are standard. Check email addresses and web URLs carefully.
Unknown number – A blocked or unidentified phone number, number that you don't recognize, or number with a country code that doesn’t match yours.
Instructions to install an app or run a command – For example, in Windows, pressing Windows-R and typing something; on a Mac, opening the Terminal app and typing something. Don’t blindly follow instructions to type commands on your computer, even if the person claims it’s safe and will fix something.
Unknown QR codes – Unless you trust the source, use a QR reader that shows the link, and check it before you tap on it. Check the URL of the website after you follow a QR code to make sure it looks right. Even for seemingly legitimate public URLs, such as in a pay parking lot, be careful. Scammers may paste their own fraudulent QR codes on real signs.
Shortened URLs from an unrecognized source – For example, tinyurl.com/trustme or bit.ly/3pt7mss. If there’s a shortened link that you’re not sure about, first use a link checker to see the full URL.

It used to be relatively easy to spot fishing attacks because of misspellings, bad grammar, and so on, but unfortunately artificial intelligence (AI) is making it easier to craft believable emails and even deepfake video or audio clips that look or sound like a relative, a friend, or a celebrity. If you get an unexpected video or phone call that urgently asks you to pay money or provide personal info, pause and think carefully. Check for deepfake giveaways such as unnatural blinking, odd eye movement, mouth of out sync with voice, shifting or blurry images, odd background, distorted voice, or voice inconsistencies that don't match the person's normal speaking pattern. If you’re at all suspicious, call the person directly to see if it was really them.

You can help keep others from becoming phish food by reporting attempts. Many email services have a "report phishing" option, and many online services have a phishing@<service>.com email address.

See 19 Most Common Types of Phishing Attacks in 2025 and the NCSC’s Quick Guide: Phishing for more information and advice.

5.4 Impersonation and pretexting

A common social engineering technique is to impersonate someone or pretend to be a legitimate company. This can happen offline (e.g., over the phone) or online (e.g., a fake login page). Also called pretexting, especially if the scam artist presents a fabricated but believable scenario to manipulate the victim into providing information. Also called blagging in the UK. Over half of phishing campaigns aimed at consumers impersonate known brands.

Impersonation is often the second phase of phishing (see 5.3.). It’s particularly prevalent in business email compromise (BEC), where the scammer either takes over or falsifies an email account and impersonates a trusted figure within a company or a trusted partner company such as a vendor or a law firm.

5.5 SIM swapping

A social engineering impersonation fraud, also called SIM hijacking, where the attacker calls your mobile phone service with sufficient personal details to pretend to be you and convince the support person to move your phone number to their SIM (subscriber identity module). They’ll claim the phone was lost or stolen, or a new purchase. In some cases, an employee is bribed to transfer numbers.

Once the attacker is in control of your phone number, they can attempt to log into your accounts or reset your passwords at any service that relies on text messages or automated phone calls.

This is a rare attack that’s overhyped. See “Is SMS insecure?” above.

Even though the risk of SIM swapping is low, you can protect yourself by visiting your mobile phone service website or app and finding the option to turn on SIM protection. (Note: this is different from the SIM lock or SIM PIN feature on your phone, which is used to prevent access to cellular data networks.)

Don’t shy away from using text message login codes because you fear they are insecure. The added security of a second login factor dwarfs the low risk of a SIM swap.

5.6 Malware

Malware is malicious software that gets installed on your computer, phone, or other device and steals sensitive information or causes disruption. Malware is often secretly installed in a phishing attack if you open an attachment or click on a link. Malware often masquerades as a software update.

Malware has been around since 2006 and is one of the primary ways passwords are compromised. The Specops 2025 Breached Password Report indicated that over a billion passwords have been stolen by malware. At least 71 million email addresses and passwords have been stolen by infostealers. Research by NordPass indicates that the top countries infected by malware are Brazil (9.6 million infected users), USA (6.9 million), India (6.9 million), Indonesia (5.3 million), and Vietnam (3.6 million).

Malware can take various forms, including

Spyware – searches for sensitive information stored on your devices or transmitted over email or website.
Infostealer – spyware focused on stealing sensitive information such as passwords and credit card numbers.
Keylogger – records all your keypresses.
Trojan – disguised as legitimate software or hiding inside it.
Remote access trojan (RAT) – gives the attacker remote control of your device.
Virus or worm – emails itself to your contacts or copies itself to other devices on a network.
Ransomware – encrypts all your data so the attacker can demand payment in return for the decryption key.

Malware that records information (spyware, infostealers, keyloggers) compiles it into a file (a stealer log) that it sends back to the attacker to analyze and crack (see 5.2) or to sell on dark webs. Spyware grabs specific files, such as browser cookies, browser secure storage for passwords and credit cards, crypto wallets, operating system password files. Spyware may monitor your clipboard, email, and web traffic looking for passwords and other info, and it may take screenshots.

Malware requires skill to develop, but now there is “malware as a service” (MaaS), which allows unsophisticated attackers to subscribe to an online malware service for a few $100 a month.

To protect yourself against malware:

Don’t follow links or open attachments from unrecognized sources. (See 5.3 for more on recognizing and avoiding phishing attacks.)
Use anti-malware (“antivirus”) software, preferably what’s built into your operating system. Third-party anti-virus software is available, but make sure it’s reputable. Never install software recommended by a pop-up that claims you have a virus — it’s a phishing attack.
Keep all the software on your computer up to date. Install updates as soon as you’re prompted. Malware often exploits software bugs to gain access.
Don't download warez. Pirated software is notoriously risky for carrying malware.
Use passkeys when available. Passkeys use encrypted secrets that you never type, so they are highly resistant to malware.
Use 2FA if available. Your username and password won’t work without the second factor, so it’s useless unless the malware is monitoring your email and SMS and attempting to log into your account in real time (which is unlikely). A side benefit is that an unexpected 2FA request will alert you that someone might be trying to get into your account.
Register at Have I Been Pwned or a dark web monitoring service to see if your email address or phone number was exposed in a breach. If so, change your password immediately.
Note: Proactively changing your passwords has questionable value, since stolen passwords are usually exploited quickly.
Don’t re-use important passwords. This limits the damage if your password is stolen.
Restart your phone once a day. Most phone malware can only run in memory, so turning your phone off and on erases it.
If you are extremely concerned, or regularly attacked, enable lockdown mode on your Mac, iPhone, or iPad. Be aware that this limits the functionality of your device.

6 Guidelines for developers

This section provides advice and resources for software engineers and product managers.

6.1 Accepting passwords

Don’t be a sheep! Don’t blindly copy the annoying and counter-productive composition rules that too many sites and services use.

1) Require long passwords. Eight characters is the absolute minimum, but twelve is a better lower limit. Not to beat a dead horse battery staple, but length is the most important factor in password strength.

2) Block common or breached passwords. This takes more work but is the very best way to safeguard your users. When a new password is entered, check it against a block list of common passwords such as PwnedPasswordsTop100k or 10-million-password-list-top-100000.txt, or query a hashed database of compromised passwords such as the Have I Been Pwned API or the Weakpass API, or use an authentication portal that has a built-in block list. If the proposed password is on the list, explain to the user why it can’t be used, and tell them to pick a better one. A specious argument against blocking common passwords is that it inconveniences users. But it only catches users who need it the most, for their own good.

3) Don’t put restrictions on passwords other than minimum length. Don’t require mixed case, numbers, or special characters. Don’t block repeated characters. Strict composition rules weaken security by reducing password entropy (see 2). The typical rules cut the number of possible eight-character passwords in half, and they hinder the use of randomly generated passwords. Password rules make passwords harder to remember and they frustrate your users. Bill Burr, who wrote the original NIST guidelines recommending numbers and special symbols, now recognizes that this was bad advice. Multiple studies show the rules don’t help, and they give users a false sense of security. These cumbersome rules are already incorporated into the toolkits of password crackers, so they play right into the hands of the bad guys (see 5.2).
Advising (but not requiring) users to include special characters is helpful, but the simplest and most important advice is to make the password 12 characters or longer (see 3.1).

4) Allow very long passwords, at least 64 characters.

5) Don’t restrict the set of characters allowed in passwords. Allow at least all ASCII printable characters (codepoints 33 to 126). If you encourage passphrases then allow the space character (but strip leading or trailing spaces). If you think you need to disallow characters such as & and \ to avoid parsing errors or SQL injection, that’s a screaming clue that you’re handling passwords incorrectly. They should go straight into the hash function before you do anything else with them. If for some depraved reason they need to be passed to another component, percent encode them. You could consider allowing all printable Unicode characters, UTF-8 encoded and normalized, but keep in mind that some devices such as smart TVs and phones don’t allow entering all Unicode characters, so you might want to protect your users from creating a password that they can’t type later on a different device.

6) Don’t force users to change their password unless you know it was breached. (See NCSC's advice against password expiry.)

7) Never use “security questions.” Despite their name, these are far from secure. Questions such as “What city were you born in?” “What was your high school mascot?” and “What’s your favorite movie?” are one of the primary ways accounts are compromised. An attacker has about a 50 percent chance of correctly guessing “What’s your favorite food?” for an American in just three tries with “pizza,” “steak,” and “hamburger.” Who has just one favorite movie? (See Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google.) And in any case using the same answer at multiple websites means that if one account is hacked, others could be compromised. If for some reason you can’t use email or text messaging to implement password recovery, let the user write their own question and answer.

8) If you’re too lazy to block common passwords, password strength meters have been shown to help users. But don’t use one erroneously based on “complexity” or entropy (see note above). Good password strength meters primarily measure length. (If the password is longer than 14 characters it’s stronger than any other silly measurement of “strength.”) Some password strength meters analyze patterns, some include block lists, and some use Markov models to estimate guessability. Don’t write one yourself, use a library such as DropBox’s zxcvbn or NuLabs’ zxcvbn4j, Chris Tetreault’s Password Strength or adapt NEMO. Even good password strength meters can incorrectly judge strong passwords as weak, so use it only to advise the user, not to reject passwords.

9) Encourage MFA, but don't require it unless you're a financial institution or you hold very critical information. When you implement MFA, don’t re-authenticate at every login, just for important activity such as changing password, email, credit card and other payment information, transferring money, or when a login occurs on a different device or a new location. (See NCSC Authentication methods: choosing the right type.) Don’t use a “magic link” email as the only login option (see 4.4).

10) Support passkeys. Passkeys are not yet sufficiently deployed, and some implementations are problematic and confusing (see Passkeys Remystified - coming soon), so as of 2025 it’s best to offer them alongside a password and MFA. (See the NCSC recommendation.)

11) Limit multiple login attempts. Throttling, with a progressively increasing time delay between successive login attempts, is preferred to account lockout, since it doesn’t frustrate users but provides sufficient protection from attacks such as credential stuffing and see password spraying. You may wish to add a CAPTCHA, but only after a few unsuccessful login attempts. Use both the account name and the IP address to track multiple requests, since botnets can vary the IP address for every attempt. Nevertheless, it’s a good idea to track total login requests from a single IP (regardless of account name) to detect distributed attacks.

Note for health and financial services: Don't buy into the myth that HIPAA and PCI DSS require specific types of characters in passwords. They don't.

Government standards and recommendations

Governments agree with the advice above.

US National Institute of Standards and Technology (NIST) Digital Identity Guidelines:

(In formal specifications, “SHALL” means “must” and “SHOULD” means “ought to.” This list below is lightly edited for clarity.)

You SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
You SHOULD permit a maximum password length of at least 64 characters.
You SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
You SHOULD accept Unicode [ISO/ISC 10646] characters in passwords.
You SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords. (NIST removed old composition rules for passwords for the reasons they discuss in Appendix A.)
You SHALL NOT require users to change passwords periodically. However, you SHALL force a change if there is evidence of compromise of the authenticator.
You SHALL NOT store a hint that is accessible to an unauthenticated claimant.
You SHALL NOT use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
You SHALL compare the prospective password against a blocklist that contains known commonly used, expected, or compromised passwords. If the chosen password is found on the blocklist, you SHALL require the user to select a different password and SHALL provide the reason for rejection.
You SHALL allow the use of password managers.
You SHOULD permit claimants to use the “paste” functionality when entering a password.
You SHOULD offer an option to display the password — rather than a series of dots or asterisks — while it is entered.
You SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber account.

UK National Cyber Security Centre guidelines:

Do not use complexity requirements.
Don't enforce regular password expiry.

UK Information Commissioner's Office guidelines:

Set a suitable minimum password length (this should be no less than 10 characters), but not a maximum length.
Allow the use of special characters, but don’t mandate it. If you must disallow special characters (or spaces) make sure this is made clear before the user creates their password.
Do not allow your users to use a common, weak password. Screen passwords against a password block list or “deny list” of the most commonly used passwords, leaked passwords from website breaches and common words or phrases that relate to the service. Update this list at least yearly. Explain to users that this is what you are doing, and that this is why a password has been rejected.
Other than the three requirements listed above, do not set restrictions on how users should create a password.

6.2 Protecting passwords

Once you’ve accepted a new password, you obviously need to protect it.

First, hopefully obviously, secure your entire system. The best way to protect password data is to make sure it’s never stolen. However, perfect security is impossible, and everyone makes mistakes, so following the best practices below will help minimize password cracking attacks if the data is breached.
Always hash and salt passwords. It’s a good idea to add a pepper. Use a cryptographically secure pseudorandom number generator to generate a unique salt value for each password.
Passwords should be hashed (with a one-way function), not encrypted (with a two-way function). A good password hash function is designed to be slow and use lots of memory for the express purpose of slowing down attackers (see 5.2.1). Don’t use fast cryptographic hash functions such as MD5, SHA-1, the SHA-2 family (SHA-256, SHA-512, and siblings), or obsolete password hash functions such as bcrypt, or two-way encryption algorithms such as DES, AES, RSA, and ECC.
Use a modern hash function such as Argon2 that takes the salt as input along with the password. The pepper (a single value that’s the same for every password) can also be passed to Argon2 as the secret value K. If you’re using a hash function that doesn’t take a pepper (or an Argon2 library that doesn’t expose the K parameter), then the pepper can be combined with the password hash by using an HMAC function. E.g., Argon2(password, salt, pepper) or HMAC(Argon2(password, salt), pepper).
Use the strongest hash you can, preferably Argon2id. If Argon2id is not available for your platform or language, use scrypt, or PBKDF2.
Use an existing, tested library for your hash function. Libraries are available for most programming languages. Never try to write your own hash algorithm. You’ll just be reinventing a (wobbly) wheel. Unless you’re one of the top crypto experts in the world, your homemade hash won’t work as well as one of the published hashes. Ditto for the random number generator for the salt and the HMAC function for the pepper.
The final password hash and the (unhashed) salt go together with the username in the database. The pepper is securely stored separately. To be clear, if the data is breached, the salt will be known to the attacker, which is as expected.

Government regulations

US National Institute of Standards and Technology (NIST) Digital Identity Guidelines:

(In formal specifications, “SHALL” means “must” and “SHOULD” means “ought to.” The excerpted list below is lightly edited for clarity.)

You SHALL store passwords in a form that is resistant to offline attacks
Passwords SHALL be salted and hashed using a suitable password hashing scheme.
The salt SHALL be at least 32 bits in length and chosen to minimize salt value collisions among stored hashes.
Both the salt value and the resulting hash SHALL be stored for each password.
A reference to the password hashing scheme used, including the work factor, SHOULD be stored for each password to allow migration to new algorithms and work factors.
The chosen cost factor SHOULD be as high as practical without negatively impacting verifier performance, and it SHOULD be increased over time to account for increases in computing performance.
An approved password hashing scheme published in the latest revision of [SP800-132] or updated NIST guidelines on password hashing schemes SHOULD be used.
The chosen output length of the password verifier, excluding the salt and versioning information, SHOULD be the same as the length of the underlying password hashing scheme output.
You SHOULD perform an additional iteration of a keyed hashing or encryption operation using a secret key (a pepper) known only to you. The secret key value SHALL be stored separately from the hashed passwords. It SHOULD be stored and used within a hardware-protected area, such as a hardware security module or trusted execution environment (TEE).

See the OWASP Password Storage Cheat Sheet for advice on hash functions, salting, peppering, and more.

If you store anything else in the database along with usernames, password hashes, and salts, such as first name, last name, birth year, phone number, and other profile info, encrypt it (with a two-way function, not a hash). Never store any user information unencrypted. If your application requires searching any of the data, use searchable encryption or maintain a separate encrypted index.