Login Security Demystified

Last update March 17, 2025 (What's new?)

Table of Contents

1 Introduction

Pop quiz: Which password is more secure?

A) Mbxsa38!
B) gacrpooofent

The answer is B. Surprised? People think A is more secure because it follows the typical rules for a “strong” password: at least one uppercase and lowercase letter, number, and special character. But the most crucial aspect by far of password security is length. A secure password is hard to guess. Password B is longer than password A, so it takes more tries to guess it, just like it takes more tries to guess a number between one and one hundred than a number between one and ten.

Even though password B is only four characters longer, it isn’t just a hundred times harder to guess, or even a million times harder to guess — it’s 78 million times harder! A cybercriminal using an extremely powerful password cracking system could crack password A in about an hour, but it would take the same system over a thousand years to crack password B.

We all have to use passwords. Over two thirds of the world uses the Internet. The average person has more than one hundred accounts. Unfortunately, the security risk from passwords is getting worse all the time. Around half of the vulnerabilities in cloud services are from weak or missing credentials. Compromised passwords have (perhaps) led to billions of dollars of personal and corporate loss. Reports and numbers vary, but several billion passwords have been stolen and are available on the dark web. If your password is one of those, and you reused it at more than one site (which more than half of us do), your other accounts are at risk.

Most compromised passwords are extracted from data breaches, since too many companies do a bad job of protecting your data and because we humans don’t make strong passwords. But even the strongest password can be pilfered by malware or phishing, which account for billions of stolen passwords.

What to do? Passwords won’t go away any time soon. They’re being slowly surpassed by passkeys, but passkeys aren’t widely supported yet, and many existing passkey implementations are vexingly hard to use. In the meantime, the best way to protect yourself is to use strong passwords and take advantage of additional security measures such as multi-factor authentication.

Even when passkeys become predominant, passwords won’t disappear. They’re simple and universal. When newfangled login methods such as biometrics fail, or hardware security keys are lost, passwords are often still used as a fallback, so strong password security is as important as ever.

2 Password strength

Unfortunately, many people, even supposed experts, don’t understand what makes a password strong or weak. Most of the “how to make a strong password” guides are full of myths and misunderstandings. This section explains the true fundamentals of password strength. Section 3 provides simple guidelines on how to make strong passwords.

Why do we care about strong passwords? To keep the bad guys out. (Section 5 explains how the bad guys get in.) A secure password is one that can’t be cracked by a bad guy.

A strong password is:

A weak password is:

The one rule to rule them all is length. A longer password is a stronger password because it’s harder to crack.

Two combination locks with 2 counters (50 guesses) and 11 counters (50 billion guesses). Attribution: vecteezy.com/members/emiltimplaru

The math works like this: A single digit gives you ten possible values. If you add a second digit, you exponentially increase the possible values: 00, 01, 02, … 10, 11, 12, … 97, 98, 99 for a total of one hundred, which is ten times ten (or 102). If you add a third digit, you get one thousand (103) possible values. The same applies to password made of letters, numbers, and symbols, where a single character has 95 possible values, two characters have 9,025 (952) combinations, three characters have 857,375 (953), and so on. An eight-character password has more than 6 quadrillion variations (6,634,204,312,890,625 or 958), and a twelve-character password has more than 540 sextillion (9512).

When guessing a random value, on average it will be found after guessing half the choices, so we can estimate that a password of length L will take 95L÷2 guesses. (See the guessing game tables below.) However, attackers are smart and start by trying commonly used passwords, frequently used words, and prevalent patterns to speed up the guessing game. Studies often show that knowing common patterns makes it possible to crack thousands or even millions of passwords in a few hours. (See section 5 for more on how passwords are attacked.)

Tables of guessing games vs. computer, with times varying from instantly to 77 million years. Tables of guessing games vs. computer, with times varying from instantly to 77 million years.

Clearly, length is the key to a strong password. So why do so many services have rules that force you to create “complex” passwords, and why do so many password guides tell you that a “complex” password is a strong password?

Because a) they are sheep (“everyone else does it”), b) they don’t understand security, and c) they succumb to the prescient attacker fallacy, which is the faulty reasoning that an attacker knows how long your password is and what characters you used. Most discussions of password strength say things like “if your password is five numbers it will only take around 50,000 guesses, but if your five-character password contains mixed case, a number, and a special character, it will take over 3 billion guesses.” This completely misses the fact that the attacker doesn’t know what characters you put in your password, so it will always take them over 3 billion tries (if they guess randomly, which they don’t).

This is why “complex” passwords are not meaningfully more secure, and why services that force you to make your password more complex actually make things less secure. When the attacker knows there are restrictions, they can skip billions of guesses. For example, if the attacker knows that you must use at least one number, they won’t try guessing passwords that contain only letters. The typical rule that requires at least one lowercase letter, uppercase letter, digit, and special character in an eight-character password eliminates over three quadrillion passwords, or 54 percent! (See Password Constraints and Their Unintended Security Consequences.)

Venn diagram showing all possible passwords, with a half-size oval inside showing passwords meeting complexity requirements.

On top of this, complexity rules don’t meaningfully improve security, because humans are predictable. Analyzing patterns in cracked passwords shows that when people are required to follow the three-of-four rule (“you must use at least three of the following: uppercase, lowercase, numbers, special characters”), the most popular pattern is one uppercase letter followed by several lowercase letters, then two to four digits (“Spring2024” or “Qwerty123”). When faced with the four-of-four rule they just add a special character to the end, usually “!” (“Qwerty123!”). See Password patterns for more on predictability.

Restrictions merely create a stronger blueprint for predictable passwords.

Remember, the goal is to thwart an attacker who knows all about commonly used passwords and patterns and so-called “complexity”. The trick is to exceed the attacker's crack time threshold, and the best way to do that is with long passwords. In the password guessing game table above, you can see how each time you make a password one character longer it increases guessing time by days, then years, then centuries. This is for random guesses, but the principle holds true for smart guesses. In general, attackers give up after trying 8- to 10-character passwords. A 12-character password is very strong, and anything longer is even better.

3 Password guidelines for users

3.1 There are only three important guidelines:

1) Make it long. Make it as long as you reasonably can, partly depending on how often you’ll need to remember it and type it in, but at least 12 characters long. If it helps, use the National Cyber Security Centre’s approach and make a passphrase from three random words you’ll remember.

2) Make it unique. Don’t use a password on one of the common password lists. Attackers use a technique called password spraying, where they get leaked usernames and try them with common passwords. Check password uniqueness at Have I Been Pwned.

3) Don’t reuse it. Don’t use the same password for more than one important account. Attackers use a technique called credential stuffing, where they take your username and password stolen from one site and try it on hundreds of other sites. Of course it’s hard to keep track of more than 150 passwords, which is the average. Some research suggests its beneficial to reuse passwords at low-value sites to reduce memory overload. Or you might want to use a core password with variations to help with this. Choose a strong (long) password and then add something to it that you’ll remember for each different website.

A password manager will automatically do all this for you.

3.2 Common additional tips (that aren’t as important):

1) Don’t include personal or familiar information such as a date, name, email address, city, etc. This helps with brute force attacks (which use dictionaries of words, names, cities, dates, etc.), and it might prevent someone who knows you or can see your social media pages from guessing your password.

2) Don’t include words in a short password, but feel free to use words in a long password, often called a passphrase. As pointed out by XKCD, the entropy of a long passphrase is vastly better than a typical password, and it’s easier to remember. However, password cracking tools prioritize guesses based on dictionary words, so if your password is less than 14 or so characters, don’t put words in it.

3) Use symbols, uppercase and lowercase letters, and numbers. You might need to do this because of draconian password rules at websites that don’t understand password security, but otherwise, using a variety of characters only makes your password a little bit stronger (see note above).

3.3 Ignore common but mostly useless guidelines:

1) Don’t “use leet substitution.” “Pa$$w0rd” or “@dm1n” is barely more secure than “password” or “admin.” Password cracking tools have already analyzed the leet patterns in compromised password lists and incorporated them into their algorithms. (See Leet Usage and Its Effect on Password Security).

2) Don’t “make your password complex” by reversing words (“drowssap”) using numbers or single letters for words (8 for “ate” or U for “you), random capitalization (“DroWssAp”), condensing phrases to initial letters (“Il2EgP” from “I like to eat green peas”), and so on. This faux complexity gives you a false sense of security.

3) There’s no need to “change your password regularly.” Unless you know that a security breach has exposed your password, don’t bother changing it. It just eats up your time and adds to your mental load. It takes less time to visit Have I Been Pwned to see if your password has been compromised, and only then change it.

4) Don’t diddle with “Diceware to generate passphrases.” Some people swear by Diceware, but are you going to remember a randomly generated set of strange words such as “dobbs bureau valeur flash ababa synod”? And are you going to roll a die thirty times whenever you need a new password? The underlying concept of random, six-word passphrases is great, giving an average password length of 30 characters from the Diceware word list, but the process is too cumbersome. Maybe for just your most critical accounts. Better yet, follow the National Cyber Security Centre’s advice and make a passphrase from three or more random words you’ll actually remember.

3.4 Padding

An interesting suggestion from Steve Gibson is to strengthen passwords by padding them with sets of characters that are easy to remember and easy to type. His example takes the incredibly weak password “D0g” and adds 21 periods. As he explains, “D0g.....................” is stronger than “PrXyc.N(n4k77#L!eVdAfp9” because it’s one character longer, making it approximately 95 times harder to guess. This is a good way to meet guideline #1 above: make it long. You can come up with your own variations such as “((((((password))))))”, “////pass////word////” (preferably without actual words), and so on.

3.5 (Un)security questions

Every expert agrees that security questions are a bad idea. Many accounts have been compromised through password recovery questions. Some answers are very popular (around 30 percent of people worldwide say blue is their favorite color and around 20 percent of Americans say pizza is their favorite food), questions and answers tend to be repeated across accounts, and unencrypted answers are often revealed in data breaches.

Someone targeting your account may be able to dig up enough information about you (your hometown, the street you grew up on, schools you attended, where you got married, etc.) to answer recovery questions. Pew Research shows that 37 percent of Americans have never moved from their hometown.

If security questions are optional, leave them blank. If you are forced to answer them, obfuscate your answers and make them different for each website. For example, even if your “favorite food” is pizza, you could answer “pizpizPayP” for PayPal and “pizpizBoA” for Bank of America. (Not that these specific services are foolish enough to use secret questions, but you get the point.) Some services require multiple questions and don’t let you use the same answer, so you could answer “MyMotherIsACar_drycln_school,” “MyMotherIsACar_drycln_pet,” “MyMotherIsACar_drycln_job” for questions that your dry cleaner’s website asks about your high school, pet, and first job. (See NordVPN’s Which security questions are good and bad? for more suggestions, keeping mind that all security questions are bad.)

3.6 Writing down passwords

It's fine (really!) to write your passwords down, just keep the list secure, such as in a locked drawer or secret location. If recording your passwords makes it easier for you to remember long, strong ones, then by all means do it. Or use a password manager. Just don’t write them on sticky notes scattered around your desk.

If you keep the list on a computer or phone, make sure it’s protected by a unique and extra-long password. There are various ways to protect a list on your computer or phone. Apple Notes and Windows OneNote let you password-protect a note. You can keep a file safely in Apple iCloud, but make sure your AppleID password is very strong. A password-protected Zip file works almost anywhere. Microsoft OneDrive includes a "personal vault" to securely store files. The Apple Disk Utility lets you create a password-protected disk image. In Windows Pro you can encrypt a folder.

On the “we’d rather not think about this but it’s practical” side, someday you will die, and your loved ones may desperately need to access your important bank accounts, brokerage accounts, cryptocurrency keys, etc. so it’s a good idea to give your list of passwords to a trusted person or two.

4 Supplements and alternatives to passwords

Security experts all agree that passwords are not secure. If everyone created very strong passwords and remembered them, it wouldn’t be so bad, but we know most people are bad at coming up with good passwords. Passwords are based on a person remembering a secret, but the more secure a password is, the harder it is to remember it. Passwords can be shared, guessed, stolen, and cracked. Computers get faster every year, making it easier to crack passwords. Quantum computing is just around the corner, and it will make password cracking exponentially easier. The only way services you log into can check your password is by storing a scrambled version of your password, and although there are robust techniques to protect password data, too many services don’t guard them properly. Last but not least, passwords are a pain to type in, although password managers help with this.

There are various approaches and industry initiatives to move beyond passwords with more secure alternatives, but they all have drawbacks when compared to the simplicity of storing passwords in your brain. Most alternatives rely on a physical device (such as a computer to respond to an email or a mobile phone to check your fingerprint), so if the device is not available or not working, you’re either locked out or you have to use a workaround.

Some approaches add a second layer of security on top of a password. Because there are two or more factors, the password and an additional step or two, this is called multi-factor authentication (MFA).

Another approach is passwordless authentication. Some methods are kludgy, like e-mail based “magic links,” and other methods such as such as passkeys are secure and starting to be embraced. Some passwordless authentication for websites has you respond to a prompt on your phone or tablet. Apple and Google have built this into their phones. Other companies such as credit card services use their own app. The biggest problem with this approach is that each implementation is proprietary, nothing is consistent, and you may not have the right app installed. Passkeys will probably replace and simplify this passwordless patchwork.

Passwords will likely never go away, but over time we’ll see new authentication techniques be more widely used.

The rest of this section covers the most common additions and replacements to passwords.

4.1 Password managers

A password manager is software that generates passwords for you and automatically enters them as needed, so you don’t have to remember them or type them. Most modern browsers have a built-in password manager to remember your existing passwords and to suggest new ones for you. Many people don’t realize that when they visit a website and their username and password are filled out for them, it’s the browser doing it, not the website.

Screenshots of Apple Safari and Google Chrome browsers asking to save a password.

Alternatively, dedicated password manager applications can be installed on computers and phones, can work across multiple browsers and devices, and can often store other information such as credit cards.

Advantages of password managers:

Disadvantages of password managers:

4.2 Multi-factor authentication

A factor is way of confirming your identity. The most common factor is a password. The three primary factors are:

Two additional factors are sometimes employed:

Multi-factor authentication (MFA) means you are asked for two or more factors to provide extra security, like being required to provide a photo ID and a birth certificate when applying for a passport. The first factor is usually a password, but any combination of factors could be used. When there are two factors it’s often called two-factor authentication (2FA).

The obvious advantage of using MFA is improved security. MFA reduces the risk of account compromise by over 99 percent, even if your password is cracked and leaked. The obvious disadvantage is inconvenience. Studies indicate that around 60 percent of companies globally use MFA. The primary reason cited for not using MFA is inconvenience.

The strongest authentication factor is biometrics, measuring unique personal characteristics or behaviors that can’t be shared or mimicked. Biometrics are often the simplest, quickest, and least disruptive. You just look at a camera or touch a screen.

The second strongest factor is device possession, which obviously requires you to have a device, typically a phone.

Additional common authentication factors are:

Part of the reason passkeys are so secure is they require device possession and often include biometrics. (See Are passkeys MFA? for more.)

2FA Directory helps you check what kinds of 2FA a website supports.

4.3 Text message authentication

Instead of entering a password, or as a second factor in addition to a password, you receive a text message at your verified mobile phone number with a one-time code that you type (or copy/paste) into the login screen. This is the most implemented second factor. It’s often called SMS authentication but can use any mobile messaging protocol such as SMS (Short Message Service), MMS (Multimedia Messaging Service), RCS (Rich Communication Services), or Apple iMessage.

Advantages of text-based authentication:

Disadvantages of text-based authentication:

4.4 Email authentication

Instead of entering a password, or as a second factor in addition to a password, you receive a message sent to your verified email address. The email contains either a code (a sequence of letters and/or numbers) or a link (a web URL, sometimes called a “magic link”) with a code embedded in it. These are usually one-time codes, which means they expire after a short period of time, and once you use them, they don’t work again. (This is for security, so that if someone gets into your email they can’t log in to your accounts using old email messages.) When there’s a human-readable code, you type (or copy/paste) it into the login screen. When there’s a link, you click or tap on the link to log in.

Advantages of email-based authentication:

Disadvantages of email-based authentication:

4.5 OTP software authenticators

A software authenticator app shows short codes that you type in as second login step. The code, usually six digits, is a time-based, one-time password (TOTP), which changes every 30 seconds or so. Many software authenticators run only on mobile phones or tablets, but the code can be typed in on a computer.

Screenshots of setting up OTP, an authenticator screen, and logging in using OTP.

There’s a one-time setup process, where the authenticator app talks to the service that you want to log into and receives a shared secret key, or seed, often via scanning a QR code. After that, the app displays the current authentication code for each registered service, based on the current time. When you log in to a service, you check the authenticator app and type the current authentication code. The service generates its own code based on the secret key and the current time. If the two codes match, then you are authenticated.

A software authenticator is sometimes called a soft token or a software-based code generator. Popular software authenticators include Apple Authenticator, Authy, Google Authenticator, Microsoft Authenticator, Duo Mobile, Aegis Authenticator, and 2FSA. Most password managers (see 4.1) have a built-in OTP authenticator.

Most software authenticators provide encrypted backups or exports that make it easy to move to a new phone or another device. However, some backups/exports can’t be moved between different types of devices, such as Android and iPhone.

Some software authenticators also support HOTP (hash-based message authentication code [HMAC]-based one-time password, commonly called event-based OTP), where the code changes each time there’s a new login instead of every 30 seconds or so. HOTP is not as common as TOTP.

Software authenticators are being superseded by passkeys, which don’t require looking up numbers and typing or copying/pasting them.

Advantages of software authenticators:

Disadvantages of software authenticators:

4.6 Hardware security keys

Note to readers: Unless your company requires you to use a hardware key, or you’re a security fanatic, you should skip this section. It gets rather complicated.

A hardware security key (alternatively called a hardware authenticator, hardware token, FIDO key, OATH key, OTP token, or hardware-based code generator) is a thumb-sized or credit card-sized device that stores cryptographic keys as part of a second login factor or in place of a password. In some cases, it’s a secure chip built into your phone or computer instead of an external device.

There are three main protocols used by hardware authenticators:

Many hardware keys support all three protocols. Some hardware security keys support additional protocols such as PIV/FIPS 201 for smart cards, OpenPGP, and Yubico OTP, but these are less common and not currently covered here.

There are four common ways for hardware keys to connect:

Hardware security keys are becoming less common now that modern phones can use passkeys for more secure and passwordless login, except in cases where high security is needed.

Hardware security keys are often centrally deployed by large companies.

Common devices include the Yubico Security Key or YubiKey, Google Titan, Deepnet SafeKey or SafeID, HID Crescendo, Kensington VeriMark, Nitrokey, SoloKey, Feitian OTP, RSA SecurID, Symantex Vip, Thales eToken Pass, and Vasco Digipass Go.

4.6.1 OATH OTP hardware security key

An OATH hardware key (also called an OATH token, OTP token, or OTP generator) is the hardware equivalent of a software authenticator that generates one-time codes (OTPs), usually six digits, that you enter during the login process. The primary advantage of a hardware authenticator is that it’s more secure than a software authenticator, and a single hardware key can easily be used across multiple devices (laptop, phone, tablet, etc.).

Some OATH hardware keys show the code on a built-in display. Others don’t have a display, so they rely on authenticator software installed on your phone or computer to retrieve the codes from the hardware key and show them. Some authenticator apps can automatically type the code into a login page. Note: Don’t confuse a hardware key’s associated software authenticator with the software-only authenticator described in 4.5.

There are two OTP protocols: TOTP (time-based one-time password) and HOTP (hash-based message authentication code [HMAC]-based one-time password, commonly called event-based OTP). TOTP is more popular, although many hardware tokens support both.

There’s a one-time enrollment process, where you connect to a service’s website or app and choose the option to use an OATH TOTP or HOTP security key for authentication (or choose the generic “authenticator” option). You need to get the shared secret key or seed from the service, usually by scanning a QR code or by typing (or copying/pasting) the secret key that the service shows you. (Some hardware keys are preprogrammed with one or more seeds, so they must be specially configured.) You edit or type a name to identify the service (e.g., Google, Facebook, My Bank, etc.) so you can find the right OTP code later, if you use multiple services.

Once the device has the secret key, it feeds it into a cryptographic algorithm to generate a one-time code based on the current time (for TOTP) or the time that has elapsed since the enrollment process started (HOTP). You enter the code on the setup screen so the service can make sure it matches the code it generated from its own copy of the secret key.

From then on, each time you want to log in, you insert the hardware key (if it’s USB) or hold it near your computer or phone (if it’s NFC or Bluetooth) and perhaps tap a spot or press a button to see the current list of codes, each identified by the name you gave it. Some hardware keys have a fingerprint reader or a keypad to enter a PIN for added security, or the associated authenticator software may give you the option to add a password for the key.

4.6.2 FIDO U2F hardware security key

A U2F security key (or FIDO key or OTP token) plugs into a USB port on your computer or phone, or uses wireless NFC (near-field communication) or BLE (Bluetooth low energy) to respond to a login request by sending an encrypted message through your computer, phone, or tablet to the service you’re logging into.

There’s a one-time enrollment process, where you connect to service’s website or app and choose the option to use a security key for authentication. For a USB key, you’re prompted to plug it in and usually tap a spot or press a button on the device. For a wireless key (NFC or BLE), you may be prompted to tap it against your phone or computer and tap a spot or press a button on the key. Some hardware keys have a fingerprint reader or a keypad to enter a PIN for added security. You are usually prompted to enter a name for the service so you can select it later when logging in. A public/private key pair is generated, the private key is securely stored in the hardware key, and the public key is sent to the website or app. (See note for more.)

4.6.3 Advantages and disadvantages

General advantages of hardware security keys:

Advantages of OATH (generating an OTP):

Advantages of FIDO U2F and FIDO2 (using USB, NFC, or Bluetooth to send code):

General disadvantages of hardware security keys:

Disadvantages of OATH (generating an OTP):

4.7 Biometrics

Biometrics (“life measurements”) are a way to recognize a person based on their unique physical characteristics such as fingerprint, voice, iris, or behavior (e.g., unique patterns in the way they type, speak, walk, move a mouse, and so on.) For authentication, biometrics are the “something you are” or “something you do” factor.

In general, especially with modern mobile phones, biometric authentication using fingerprint or face recognition is more secure than a password. Because biometrics are typically a very secure factor, they’re sometimes used alone, without a second factor.

In almost all cases, part of what makes biometrics secure is that your biometric data is not shared or sent anywhere, or even stored in the device. The fingerprint image or face scan is transformed into a simple but still unique value, typically by hashing, which can be easily checked by the local device. The device then authorizes unlocking or sending an authentication key to the service you’re logging into. (See 4.8 for how this works with passkeys.)

Consider the keys to strength from section 2. A biometric hash is long (usually 32 bytes) and therefore hard to guess, it’s unique (it only matches you), it can’t be reused or stolen from a service (since it’s stored only on your device). On top of that, it’s resistant to phishing (you can’t tell it to someone or enter it into a fake website).

4.8 Passkeys

In a future utopia, we’ll use passkeys everywhere instead of passwords and other login mechanisms. A passkey is essentially a secret code, securely stored on your phone or computer, that logs you into a website or app. When you’re presented with the option to “use a passkey,” you (usually) don’t need to enter a username or password — you just take the usual step to unlock your device with your fingerprint, face, PIN, or pattern. If your passkeys are stored on your phone but you’re logging into a website or app on your computer, you confirm on your phone, wirelessly or by scanning a barcode, and your phone tells your computer to let you in.

Diagram: Sign in with your passkey. Three options: "This device," "Pixel," "iPhone, iPad, or Android device"

Passkeys were developed around 2018, and began to be adopted in 2022, in an attempt to deal with all the password problems discussed above: weak and predictable passwords, password reuse, breaches of stored passwords, human error, phishing attacks, overload from dealing with too many passwords, and so on.

The important difference with passkeys is that you never know them: you don’t think them up, you don’t have to remember them, and you don’t type them. Instead, you use software or hardware that manages the passkeys for you.

A passkey involves two factors — a device and an unlock step, so they can be used instead of passwords and second authentication factors such as a text message or email. (See Are passkeys MFA?)

Passkeys are more secure than passwords and most other login methods, and in some cases they’re simpler and faster, but unfortunately many passkey implementations are complex and confusing (see Passkeys Remystified - coming soon). Many websites and apps don’t support passkeys. Poorly implemented applications may use a passkey and still require a password. Password-free utopia is still many years away.

Passkeys use the more modern approach of public/private encryption in place of the less-secure shared-secret approach used by passwords and OTP authenticators (see 4.5 and 4.6). In simple terms, when you first set up a passkey to log in to a service, your device generates a private key that it keeps and a public key that it gives to the service. After that, when you want to log in, the service doesn’t ask for your username and password, instead it sends a message to your device asking it to authenticate that it’s you. Your device checks that it actually is you (scans your fingerprint or your smiling face, requires you to enter your unlock pattern, etc.), then signs the message (by encrypting it with the private key) and sends it back to the service, which verifies the signed message (by checking that your public key correctly decrypts the message), which proves it’s you trying to log in. Since the private key is never sent to service, it can’t be stolen. You don’t know the private key, so you can’t mistakenly give it to someone who’s pretending to be a legitimate service (i.e., you are invulnerable to phishing attacks). And it’s almost impossible to guess. (Using only 1024 bits results in more possible keys than there are atoms in the universe. In fact, if you squared the number of atoms in the universe, resulting in a mind-bogglingly huge number with over 150 zeros, it would still be way smaller than the number of possible keys.)

Passkeys (specifically the private key and additional information such as the account and website that it’s associated with) must be managed by an authenticator, which is hardware or software that verifies the user before signing a login request with the private key. The authenticator can live in different places:

When you first create a passkey, you’ll probably see several options for where to save it. You might have to select “Other ways to sign in,” “Try another way,” or a similar option to see them all. Your choice of where to keep your passkeys depends on what devices you have and how you use them.

If you use the same browser on multiple devices, such as Google Chrome on a PC and a phone, it’s best to keep your passkeys in the browser, since it will synch them to the browser on each device. If you use all Apple devices, such as a Mac and an iPhone, it’s best to keep your passkeys in iCloud Keychain, which will sync them to all your devices to be managed in the Passwords app. Windows 11 can sync passkeys to other Windows 11 PCs (as of fall 2024). Windows 10 can use passkeys but can’t (yet) sync them. If you mostly use a Windows computer and don’t use a phone much, it’s simpler to keep your passkeys in Windows so you don’t have to pull out your phone every time you log in to a website on your computer. If there are some websites or apps that you only use on your phone, you’ll want to keep passkeys for those websites/apps on your phone. If you use a standalone password manager on all your devices, you can keep your passkeys there, since most will sync passkeys across devices.

When you visit a website on your computer and log in with a passkey on your phone, you may be asked if you want to create a passkey on your computer. If you do, a new passkey is created, allowing you to log in on your computer without needing your phone. You’ll then have two separate passkeys for a single website.

The same passkey can’t be used at more than one service. This is by design, so that a passkey can’t be used to track you across multiple websites and services.

Learn more about using passkeys with:

 

 

Advantages of passkeys:

Disadvantages of passkeys:

4.9 Federated identity and social login

Federated identity is where a single service shares your identity (your login credentials and other information about you) to multiple organizations, services, and applications. For example, if you use your Amazon account to login to websites or apps for Amazon, Goodreads, and Wordpress, Amazon is serving as your identity provider to all these services.

Federation can function within a single organization, in which case it’s often called single sign-on (SSO). For example, a corporation’s employees may be able to log in to different company applications (email, customer management, payroll, etc.) using a single username and password. You can log into Microsoft Windows, Word, Excel, Outlook, OneDrive, SharePoint, Skype, etc. using a single username and password or a single passkey.

Social login (or social sign-on, social authentication, or third-party authentication) is where one organization serves as an identity provider for other organizations. When you are about to sign up with a new service and are given options such as “sign in with Google,” “connect with Facebook,” “continue with Apple,” or “sign up with Microsoft” as alternatives to “sign in with email,” these are social login identity providers. Instead of signing up for a new account with your own email and/or username, and coming up with a new, unique password (you always do this, right?), you allow the social network to provide your identity and other info to the service you’re signing up for. Social login is a form of identity federation.

Screenshot showing social login using Google, Apple, Facebook, Microsoft, LinkedIn, or email instead.

(Top social login providers, using their preferred logo, text, and button format.)

The biggest concern with using social login is that you cede more control of your digital identity and personal data to a single corporation. One whose goal is to make money off you. Instead of having isolated accounts at different services, you allow one business to aggregate and manage your identity. Social login makes it possible for multiple services to track you — and advertise to you. Social networks usually share information about you, including your name, birthday, picture, location, friends, and activities. Some social networks allow you to choose exactly what you share, others don’t. Apple gives you the option to have a random email address generated to hide your regular email address. Most give you a page to see what you’ve shared with whom. Here are the links to the sharing pages for Apple, Facebook, GitHub, Google, LinkedIn, Microsoft, and X/Twitter.

According analyses by login providers Okta and Descope, about one third of logins are social, with the most common being Google (by far), Apple, Microsoft, Facebook, Salesforce, GitHub, and LinkedIn. (Note that Microsoft owns GitHub and LinkedIn, but they operate as mostly independently identity providers, although, for example, LinkedIn may share data to enable personalized ads on Bing and other Microsoft services.)

A few federated identity providers are not social networks, such as Microsoft Azure AD and ID.me (used by government as well as healthcare organizations and consumer brands), but the functionality is similar.

Social login service providers such as auth0, Firebase, Okta/Auth0, OneAll, and OneLogin have APIs that make it easy for developers to offer social login for as many as 30 or 40 identity providers, although they recommend only presenting three or four to avoid a cluttered interface.

Advantages of social login for users:

Disadvantages of social login:

Advantages of social login for implementers:

Disadvantages of social login for implementers:

4.10 Decentralized identity

A fundamental concern with creating accounts at online services is that they control and define your “identity.” They often require you to give them personal information. Or, if there’s information you want to give them, you end up entering it over and over at every service. They put you at risk for security breaches and identity theft. Regardless of whether you login with passwords or passkeys, or use social login (see 4.9), the ultimate solution to these problems is something quite different.

Instead of establishing an account at every service you need, you manage your own identity and data, and you choose the services you want to share with. This is called decentralized identity or self-sovereign identity (SSI). Instead of Facebook, Google, Microsoft, Apple, your bank, your health providers, and others managing your data and your online identity, you manage your own. The vision is to create a standards-based decentralized identity system that gives users and organizations greater control over their data while achieving more trust and more security for apps, devices, and services. You no longer have multiple accounts and usernames with multiple passwords or passkeys, you have a single identity or persona. Or you might have multiple personas: one for business, one for friends and social networks, and maybe an anonymous one for shitposting.

The core components are a decentralized identifier (DID) and associated verifiable credentials (VCs) or attributes that prove who you are and attest to information about you, somewhat like a digital driver’s license or passport. Your identity and your credentials are cryptographically secured, stored on a blockchain, and accessed using a digital wallet. (See Blockchain Demystified for more information.)

You create and own your decentralized identifier, and you rely on authorities and other trusted organizations to issue credentials that can be securely verified by others.

The ideas of decentralized identity have been around for a while, but it still isn’t standardized or widely supported. It holds great promise, and someday I will create an entire Demystified section to cover it. In the meantime, here are sources of more information:

Decentralized Identity: The Ultimate Guide 2024

Decentralized Identity Foundation (DIF)

Microsoft Entra

Sovrin Foundation

The Global Identity Foundation

The Solid Project

Advantages of decentralized identity:

Disadvantages of decentralized identity:

5 How passwords are attacked

There are several ways someone can try to access your account or harvest your credentials. None of them are what you see in movies, where a nerd in a hoodie madly types guesses into a computer screen.

1) Password guessing – Repeatedly trying to log in with different passwords (explained in 5.1). This is sometimes called a brute force login attack, although variations such as credential stuffing (explained in 5.1.1) and password spraying (explained in 5.1.2) are more precise and effective, and therefore more common.

2)Offline cracking – Processing a data breach file to find passwords (explained in 5.2). If the stolen data was not protected, then no processing is needed, the usernames and passwords are just sitting there. Even when the passwords are protected by hashing, attackers use tools that know commonly used passwords and that understand the patterns we humans tend to use for passwords (explained in 5.2.1).

3) Social engineering – Fooling you or another person into providing access. You might get an email or text or see a social post or QR code that pretends to be from a real service or a trustworthy person, but links to a fake login page where the fraudster can steal your username and password (phishing, explained in 5.3). Or an attacker might call a service, pretend to be you, and convince the service representative to provide access to your account (impersonation, explained in 5.4) or to switch your phone number to the attacker’s phone so they can use your one-time login codes (SIM swapping, explained in 5.5).

4) Malware – Malicious software that tries to steal information stored on your phone or computer (aka spyware or infostealers) or that “watches” you type your username and password into websites and apps (keyloggers). Covered in 5.6.

5) Other less common methods, such as watching you type as you log in (shoulder surfing), finding your insecurely stored written passwords, stealing your phone or computer and attempting to hack it, intercepting login data sent over an insecure connection (man-in-the-middle or sniffing), or seeing a password foolishly sent over a public channel such as Slack or Microsoft Teams.

6) AI and neural networks – Research indicates AI can improve password guessing, both online and offline, although no mainstream password cracking tools have added AI as of the beginning of 2025.

The table below summarizes password attacks, how difficult they are to pull off, and how to defend yourself against them. Note that in some attacks, the strength of your password doesn't matter, but since you never know what might happen, you should use strong passwords for important accounts. See the references sections for detail about each type of attack.

Credential stuffing (5.1.1)
Stolen usernames and passwords are tried at multiple websites.
Frequency High. Tens of millions of accounts are probed every day.
Difficulty Easy. An attacker can obtain a list of breached usernames and passwords for use with an off-the-shelf tool.
Defense Don’t re-use a password for important accounts. Use strong passwords that won’t be cracked. Use a service to alert you if your account is breached.
Password spraying (5.1.2)
Usernames and email addresses are combined with common passwords and tried at multiple websites.
Frequency High. Tens of millions of accounts are probed every day.
Difficulty Easy. An attacker can get a list of usernames for use with an off-the-shelf tool.
Defense Never use common passwords. Use a service to alert you if your account is breached.
Data breach cracking (5.2)
Passwords are extracted from a data breach file using cracking software.
Frequency Medium, but it’s almost inevitable that one or more of your accounts will be exposed in a data breach.
Difficulty Breaking into accounts is difficult, but anyone can obtain breached data and run it through a free cracking tool. Ease and speed of cracking depend on the password hash used by the breached service.
Defense Use strong passwords. However, if the password data was unprotected, a strong password does no good.
Social engineering / phishing (5.3 and 5.4)
Someone tries to trick you into revealing your password or other sensitive data.
Frequency Very high. Billions of phishing emails are sent every day.
Difficulty Easy. Attackers can obtain an email list and use an off-the-shelf phishing kit.
Defense Educate yourself on phishing attacks and stay vigilant . Note: a strong password doesn’t help.
Malware (5.6)
Malicious software on your phone or computer steals sensitive information from files or by monitoring your typing, emails, and texts.
Frequency Medium. Roughly 30 percent of phishing emails contain malware, although many are blocked and only around 20 percent are opened.
Difficulty Easy. Developing malware is tricky, but “malware as a service” makes it usable by anyone.
Defense Don’t follow links or open attachments from unrecognized sources. Use anti-virus software. Use passkeys or multi-factor authentication. Note: a strong password doesn’t help.
Local discovery
Someone watches you enter a password or finds an insecurely stored written password.
Frequency Low.
Difficulty Hard, unless someone is sloppy.
Defense If you keep your passwords on paper, secure it. If you keep your passwords in a file, protect it with a strong password. Be aware when entering passwords.

5.1 Password guessing

A password guessing attack tries to access an account by repeatedly entering guesses on a login page. These attacks are usually online and automated, where software emulates a human and submits guesses on a website. There can be manual attacks, where someone visits a website and tries to log in as you, or someone has physical access to your phone or computer and attempts to log into an app, but this is rare.

Online brute force guessing has limited success, since most websites and apps limit the number of attempts before locking out the account or adding a CAPTCHA (the little puzzle that asks you to prove you’re not a robot). However, an attacker who has gotten your email/username, and perhaps your password, from a data breach or other source can make login attempts over time and on multiple services, often without being detected or locked out. This is also called list cleaning or breach replay. Microsoft data shows there are over 4,000 attempted password attacks per second just on Microsoft accounts.

See credential stuffing and password spraying below for details.

5.1.1 Credential stuffing

Credential stuffing is an online attack that takes stolen usernames and passwords and “stuffs” them into the login pages of popular websites, looking for people who used their password more than once. Automated software runs through a list of thousands or millions of usernames and passwords, trying just one or two passwords for each username every so often, to avoid detection and lockout, and typically using multiple hijacked computers spread around the world (a botnet) to make it look like the attempts are not coming from the same place (a single IP address).

A famous example is the 23andMe data theft. An attacker used credential stuffing to break into 14,000 accounts. 23andMe has an optional feature to share information between relatives, which made additional information such as name, location, estimated ethnicity, birthplace, birth year, sex, and genetic and health data available to the attacker. The security of 23andMe itself was not compromised, but because 14,000 of their customers recycled passwords that had been compromised elsewhere, data from 6.9 million customers was compromised, almost half of their 14 million customers. In response, 23andMe required all their customers to reset their password, and added 2FA as login requirement.

To be safe from credential stuffing:

5.1.2 Password spraying

Password spraying is an online attack that exploits the prevalence of weak passwords by combining the most frequently used passwords (such as Password1, 123456, qwerty, etc.) with lists of email addresses or usernames obtained from sources such as data breaches, user directories, or just educated guesses such as firstname.lastname@companyname.com. Automated software tries each username with all the passwords, targeting dozens or hundreds of popular websites, often using multiple hijacked computers spread around the world (a botnet) to make it look like the attempts are not coming from the same place.

Password spraying is even more effective when it uses only passwords that conform to the password policy of the target service and mixes target-specific information such as the user’s name, email address, and company name or products into the password.

To be safe from password spraying:

5.2 Data breaches

A fundamental problem with passwords is that in order to log you in, a service has to be able to recognize that you entered the correct password, so they store it in a form that they can compare your input to. If an attacker breaks into the service’s system, they can steal password data.

Badly implemented services store unprotected passwords and other user information in a database or log. You’d think this would never happen, but it has. Facebook, Sony Pictures, Adobe, Equifax, Yahoo, Ancestry.com, Brazzers, YouPorn, Comcast, Neopets, and many others have suffered theft of unprotected passwords or security questions.

More careful services secure passwords by using a scrambling technique called a hash. But password hashes can be cracked, especially by powerful computer setups that use cracking tools to find the weakest passwords.

5.2.1 Cracking tools

Attackers use various software tools to extract passwords from a dump file stolen from a service. Dumps containing thousands or millions of usernames and passwords can be purchased on the dark web. Because processing happens offline (the cracker is crunching data on a computer system, not trying to log in online), there are no restrictions on the number of guesses or how quickly they can be made.

Services usually convert passwords to a hash to make them harder to crack if they are stolen. Password cracking (or hashcracking) tools attempt to get around this by using lists of known passwords and generating predictable passwords, each of which is hashed and compared with all the hashes in the dump file. If there’s a match, the password has been cracked.

Speed and effectiveness are limited by the strength of the hash function and by the processing speed of the cracking rig. Attackers can usually figure out which hash was used by looking at length, prefix, and other information or by trying different hashes on common passwords.

As discussed in section 2, an eight-character password made from the standard set of 95 characters has more than 6 quadrillion variations, and a twelve-character password has more than 540 sextillion. That’s a lot of passwords to guess, but even a standard desktop computer using the parallel processing power of an Nvidia GeForce RTX 4090 GPU (graphic processing unit) can crank through over 150 billion simple MD5 hashes per second. At that rate any six-character password hashed with MD5 can be cracked, on average, in less than three seconds, and an eight-character password in less than six hours. A newer, stronger hash, such as bcrypt, that takes longer to compute, slows this down to around 208 thousand hashes per second, or 19 days for a six-character password, but a more powerful cracking rig with twelve Nvidia cards can do it in less than two days. Unfortunately, too many services still use old hash functions (such as MD5 and SHA-1) that can be cracked quickly with modern hardware.

Table showing times to crack passwords of 6 to 14 characters long with a single RTX 4090 or 12 RTX 4090s.

To be clear, you should take this and all other “passwords can be cracked in seconds” reports with a grain of salt. If a strong password is on a list of compromised passwords, it can be cracked in seconds. If you use predictable patterns, your password can be cracked in minutes or hours. If a company’s data is never stolen, the passwords can never be cracked. If you’re infected with malware, the strongest password can be snatched as you type it. The best protection is to be aware of any new breach with your account or password in it. Use a notification service such as Have I Been Pwned, Google Security Checkup, Apple Password Monitoring, Microsoft Password Monitor, or others, such as in some password managers.

Well-known password cracking tools include hashcat and John the Ripper. They use various modes to attempt to discover hashed passwords:

1. Known password lists. These are compiled from previous data breaches and successful password cracking work. For example, the (in)famous original RockYou file contains 14,341,564 distinct passwords, used with 32,603,388 usernames. (Those numbers alone show that 56 percent of the passwords occurred more than once.)

2. Dictionaries (cracking lists). These are extensive lists of common words and names (personal names, place names, company names, pet names, fictional characters, etc.), often ordered by frequency of use in passwords. Dictionary lists may also include known passwords.

3. Brute force (exhaustive search). The software runs through permutations of characters, generating huge numbers of possible passwords. Dumb or incremental brute force that slogs through all variations (aaaaaa, aaaaab, aaaaac, etc.) is possible but rarely used, as there are optimizations with more likelihood of success:

o Markov models that prioritize the most likely passwords first. A simple Markov chain connects characters together according to the probabilities that one will follow another. A layered Markov model can include the probability of a character being in a certain position in the password. (This is hashcat’s default brute force mode.) Markov models are generated from lists of leaked passwords and can then be used to produce all the possible passwords of a given length, ordered by probability.

o Masks prioritize certain patterns such as all lowercase or all numbers (see note).

o Transformation or mangling rules modify dictionaries by varying uppercase and lowercase, doing leet substitutions, adding numbers or symbols, mixing words together, and so on.

4. Hybrid attack. Combining known or guessed information with any of first three modes. For example, if an attacker knows your birth year, the software can combine it with known passwords and dictionary words. (This also called associative attack.)

It should be obvious that when you’re trying to create a strong password, your first goal is to avoid it being found by the first two modes (make it unique) and your second goal is to prevent it being found by the remaining modes (make it long and unpredictable).

In most new data breaches, over 60 percent of hashed passwords can often be found in previous data breaches (per haveibeenpwned posts). According to a 2023 analysis by Kaspersky, 59 percent of 193 million actual passwords could be cracked from a hashed password list in less than an hour using an off-the-shelf Nvidia GeForce RTX 4090 card. This is partly due to modern GPU processing power and partly due to list attacks and pattern attacks being disturbingly effective. The study found that 57 percent of the passwords included a dictionary word.

For more on password cracking, see Password Village, the hashcat FAQ, and the r/hacking tutorial.

5.3 Phishing

Phishing is a social engineering scam using fraudulent emails, websites, text messages, phone calls, or other communication in an attempt to trick you into revealing sensitive information such as usernames, passwords, and credit card details. The term probably evolved from phreaking (phone freaking), which referred to exploiting phone systems in the 1960’s and 70’s, combined with fishing. Over 20 percent of data breaches are a result of phishing.

Phishing typically has three phases:

1) Hook – An email, text message, QR code, social media chat, phone call, or other method to connect to potential victims.

2) Bait – The motivation to take the hook. This usually plays on human nature and emotions (see below).

3) Catch – The mechanism for divulging info or giving money: a fake website, a malicious attachment, a fake browser update, a person on the phone, fraudulent invoices or orders, or bogus PayPal or Venmo requests.

Email is the most-used hook. Over 95 percent of social engineering attacks use email. In 2024, scammers sent over 3.4 billion phishing emails each day.

Phishing relies on human fallibility and our inclination to trust. It manipulates your emotions to put you into a state where you aren’t as thoughtful and cautious as you normally might be:

Warning signs of phishing and what to do:

It used to be relatively easy to spot fishing attacks because of misspellings, bad grammar, and so on, but unfortunately artificial intelligence (AI) is making it easier to craft believable emails and even deepfake video or audio clips that look or sound like a relative, a friend, or a celebrity. If you get an unexpected video or phone call that urgently asks you to pay money or provide personal info, pause and think carefully. Check for deepfake giveaways such as unnatural blinking, odd eye movement, mouth of out sync with voice, shifting or blurry images, odd background, distorted voice, or voice inconsistencies that don't match the person's normal speaking pattern. If you’re at all suspicious, call the person directly to see if it was really them.

You can help keep others from becoming phish food by reporting attempts. Many email services have a "report phishing" option, and many online services have a phishing@<service>.com email address.

See 19 Most Common Types of Phishing Attacks in 2025 and the NCSC’s Quick Guide: Phishing for more information and advice.

5.4 Impersonation and pretexting

A common social engineering technique is to impersonate someone or pretend to be a legitimate company. This can happen offline (e.g., over the phone) or online (e.g., a fake login page). Also called pretexting, especially if the scam artist presents a fabricated but believable scenario to manipulate the victim into providing information. Also called blagging in the UK. Over half of phishing campaigns aimed at consumers impersonate known brands.

Impersonation is often the second phase of phishing (see 5.3.). It’s particularly prevalent in business email compromise (BEC), where the scammer either takes over or falsifies an email account and impersonates a trusted figure within a company or a trusted partner company such as a vendor or a law firm.

5.5 SIM swapping

A social engineering impersonation fraud, also called SIM hijacking, where the attacker calls your mobile phone service with sufficient personal details to pretend to be you and convince the support person to move your phone number to their SIM (subscriber identity module). They’ll claim the phone was lost or stolen, or a new purchase. In some cases, an employee is bribed to transfer numbers.

Once the attacker is in control of your phone number, they can attempt to log into your accounts or reset your passwords at any service that relies on text messages or automated phone calls.

This is a rare attack that’s overhyped. See “Is SMS insecure?” above.

Even though the risk of SIM swapping is low, you can protect yourself by visiting your mobile phone service website or app and finding the option to turn on SIM protection. (Note: this is different from the SIM lock or SIM PIN feature on your phone, which is used to prevent access to cellular data networks.)

Don’t shy away from using text message login codes because you fear they are insecure. The added security of a second login factor dwarfs the low risk of a SIM swap.

5.6 Malware

Malware is malicious software that gets installed on your computer, phone, or other device and steals sensitive information or causes disruption. Malware is often secretly installed in a phishing attack if you open an attachment or click on a link. Malware often masquerades as a software update.

Malware has been around since 2006 and is one of the primary ways passwords are compromised. The Specops 2025 Breached Password Report indicated that over a billion passwords have been stolen by malware. At least 71 million email addresses and passwords have been stolen by infostealers. Research by NordPass indicates that the top countries infected by malware are Brazil (9.6 million infected users), USA (6.9 million), India (6.9 million), Indonesia (5.3 million), and Vietnam (3.6 million).

Malware can take various forms, including

Malware that records information (spyware, infostealers, keyloggers) compiles it into a file (a stealer log) that it sends back to the attacker to analyze and crack (see 5.2) or to sell on dark webs. Spyware grabs specific files, such as browser cookies, browser secure storage for passwords and credit cards, crypto wallets, operating system password files. Spyware may monitor your clipboard, email, and web traffic looking for passwords and other info, and it may take screenshots.

Malware requires skill to develop, but now there is “malware as a service” (MaaS), which allows unsophisticated attackers to subscribe to an online malware service for a few $100 a month.

To protect yourself against malware:

6 Guidelines for developers

This section provides advice and resources for software engineers and product managers.

6.1 Accepting passwords

Don’t be a sheep! Don’t blindly copy the annoying and counter-productive composition rules that too many sites and services use.

1) Require long passwords. Eight characters is the absolute minimum, but twelve is a better lower limit. Not to beat a dead horse battery staple, but length is the most important factor in password strength.

2) Block common or breached passwords. This takes more work but is the very best way to safeguard your users. When a new password is entered, check it against a block list of common passwords such as PwnedPasswordsTop100k or 10-million-password-list-top-100000.txt, or query a hashed database of compromised passwords such as the Have I Been Pwned API or the Weakpass API, or use an authentication portal that has a built-in block list. If the proposed password is on the list, explain to the user why it can’t be used, and tell them to pick a better one. A specious argument against blocking common passwords is that it inconveniences users. But it only catches users who need it the most, for their own good.

3) Don’t put restrictions on passwords other than minimum length. Don’t require mixed case, numbers, or special characters. Don’t block repeated characters. Strict composition rules weaken security by reducing password entropy (see 2). The typical rules cut the number of possible eight-character passwords in half, and they hinder the use of randomly generated passwords. Password rules make passwords harder to remember and they frustrate your users. Bill Burr, who wrote the original NIST guidelines recommending numbers and special symbols, now recognizes that this was bad advice. Multiple studies show the rules don’t help, and they give users a false sense of security. These cumbersome rules are already incorporated into the toolkits of password crackers, so they play right into the hands of the bad guys (see 5.2).
Advising (but not requiring) users to include special characters is helpful, but the simplest and most important advice is to make the password 12 characters or longer (see 3.1).

4) Allow very long passwords, at least 64 characters.

5) Don’t restrict the set of characters allowed in passwords. Allow at least all ASCII printable characters (codepoints 33 to 126). If you encourage passphrases then allow the space character (but strip leading or trailing spaces). If you think you need to disallow characters such as & and \ to avoid parsing errors or SQL injection, that’s a screaming clue that you’re handling passwords incorrectly. They should go straight into the hash function before you do anything else with them. If for some depraved reason they need to be passed to another component, percent encode them. You could consider allowing all printable Unicode characters, UTF-8 encoded and normalized, but keep in mind that some devices such as smart TVs and phones don’t allow entering all Unicode characters, so you might want to protect your users from creating a password that they can’t type later on a different device.

6) Don’t force users to change their password unless you know it was breached. (See NCSC's advice against password expiry.)

7) Never use “security questions.” Despite their name, these are far from secure. Questions such as “What city were you born in?” “What was your high school mascot?” and “What’s your favorite movie?” are one of the primary ways accounts are compromised. An attacker has about a 50 percent chance of correctly guessing “What’s your favorite food?” for an American in just three tries with “pizza,” “steak,” and “hamburger.” Who has just one favorite movie? (See Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google.) And in any case using the same answer at multiple websites means that if one account is hacked, others could be compromised. If for some reason you can’t use email or text messaging to implement password recovery, let the user write their own question and answer.

8) If you’re too lazy to block common passwords, password strength meters have been shown to help users. But don’t use one erroneously based on “complexity” or entropy (see note above). Good password strength meters primarily measure length. (If the password is longer than 14 characters it’s stronger than any other silly measurement of “strength.”) Some password strength meters analyze patterns, some include block lists, and some use Markov models to estimate guessability. Don’t write one yourself, use a library such as DropBox’s zxcvbn or NuLabs’ zxcvbn4j, Chris Tetreault’s Password Strength or adapt NEMO. Even good password strength meters can incorrectly judge strong passwords as weak, so use it only to advise the user, not to reject passwords.

9) Encourage MFA, but don't require it unless you're a financial institution or you hold very critical information. When you implement MFA, don’t re-authenticate at every login, just for important activity such as changing password, email, credit card and other payment information, transferring money, or when a login occurs on a different device or a new location. (See NCSC Authentication methods: choosing the right type.) Don’t use a “magic link” email as the only login option (see 4.4).

10)  Support passkeys. Passkeys are not yet sufficiently deployed, and some implementations are problematic and confusing (see Passkeys Remystified - coming soon), so as of 2025 it’s best to offer them alongside a password and MFA. (See the NCSC recommendation.)

11)  Limit multiple login attempts. Throttling, with a progressively increasing time delay between successive login attempts, is preferred to account lockout, since it doesn’t frustrate users but provides sufficient protection from attacks such as credential stuffing and see password spraying. You may wish to add a CAPTCHA, but only after a few unsuccessful login attempts. Use both the account name and the IP address to track multiple requests, since botnets can vary the IP address for every attempt. Nevertheless, it’s a good idea to track total login requests from a single IP (regardless of account name) to detect distributed attacks.

Note for health and financial services: Don't buy into the myth that HIPAA and PCI DSS require specific types of characters in passwords. They don't.

 

6.2 Protecting passwords

Once you’ve accepted a new password, you obviously need to protect it.

See the OWASP Password Storage Cheat Sheet for advice on hash functions, salting, peppering, and more.

If you store anything else in the database along with usernames, password hashes, and salts, such as first name, last name, birth year, phone number, and other profile info, encrypt it (with a two-way function, not a hash). Never store any user information unencrypted. If your application requires searching any of the data, use searchable encryption or maintain a separate encrypted index.

7 Additional resources

Multi-factor authentication:

Passkeys and whatnot:

Password research:

Security and data breach deep dives: