Login Security Demystified
Last update March 17, 2025 (What's new?)
Table of Contents
- 1 Introduction
- 2 Password strength
- 3 Password guidelines for users
- 4 Supplements and alternatives to passwords
- 5 How passwords are attacked
- 6 Guidelines for developers
- Frequently Asked Questions (FAQ)
1 Introduction
Pop quiz: Which password is more secure?
A) Mbxsa38!
B) gacrpooofent
The answer is B. Surprised? People think A is more secure because it follows the typical rules for a “strong” password: at least one uppercase and lowercase letter, number, and special character. But the most crucial aspect by far of password security is length. A secure password is hard to guess. Password B is longer than password A, so it takes more tries to guess it, just like it takes more tries to guess a number between one and one hundred than a number between one and ten.
Even though password B is only four characters longer, it isn’t just a hundred times harder to guess, or even a million times harder to guess — it’s 78 million times harder! A cybercriminal using an extremely powerful password cracking system could crack password A in about an hour, but it would take the same system over a thousand years to crack password B.
We all have to use passwords. Over two thirds of the world uses the Internet. The average person has more than one hundred accounts. Unfortunately, the security risk from passwords is getting worse all the time. Around half of the vulnerabilities in cloud services are from weak or missing credentials. Compromised passwords have (perhaps) led to billions of dollars of personal and corporate loss. Reports and numbers vary, but several billion passwords have been stolen and are available on the dark web. If your password is one of those, and you reused it at more than one site (which more than half of us do), your other accounts are at risk.
Most compromised passwords are extracted from data breaches, since too many companies do a bad job of protecting your data and because we humans don’t make strong passwords. But even the strongest password can be pilfered by malware or phishing, which account for billions of stolen passwords.
What to do? Passwords won’t go away any time soon. They’re being slowly surpassed by passkeys, but passkeys aren’t widely supported yet, and many existing passkey implementations are vexingly hard to use. In the meantime, the best way to protect yourself is to use strong passwords and take advantage of additional security measures such as multi-factor authentication.
Even when passkeys become predominant, passwords won’t disappear. They’re simple and universal. When newfangled login methods such as biometrics fail, or hardware security keys are lost, passwords are often still used as a fallback, so strong password security is as important as ever.
2 Password strength
Unfortunately, many people, even supposed experts, don’t understand what makes a password strong or weak. Most of the “how to make a strong password” guides are full of myths and misunderstandings. This section explains the true fundamentals of password strength. Section 3 provides simple guidelines on how to make strong passwords.
Why do we care about strong passwords? To keep the bad guys out. (Section 5 explains how the bad guys get in.) A secure password is one that can’t be cracked by a bad guy.
A strong password is:
- Long – 12 characters or more.
- Unpredictable – random and hard to guess.
- Unique – not reused for your other accounts.
- Uncompromised – not on a list of stolen passwords.
A weak password is:
- Short.
- Predictable – uses typical patterns or words.
- Common – the same as other people’s password.
- Reused – by you in multiple places.
- Previously compromised.
The one rule to rule them all is length. A longer password is a stronger password because it’s harder to crack.
The math works like this: A single digit gives you ten possible values. If you add a second digit, you exponentially increase the possible values: 00, 01, 02, … 10, 11, 12, … 97, 98, 99 for a total of one hundred, which is ten times ten (or 102). If you add a third digit, you get one thousand (103) possible values. The same applies to password made of letters, numbers, and symbols, where a single character has 95 possible values, two characters have 9,025 (952) combinations, three characters have 857,375 (953), and so on. An eight-character password has more than 6 quadrillion variations (6,634,204,312,890,625 or 958), and a twelve-character password has more than 540 sextillion (9512).
When guessing a random value, on average it will be found after guessing half the choices, so we can estimate that a password of length L will take 95L÷2 guesses. (See the guessing game tables below.) However, attackers are smart and start by trying commonly used passwords, frequently used words, and prevalent patterns to speed up the guessing game. Studies often show that knowing common patterns makes it possible to crack thousands or even millions of passwords in a few hours. (See section 5 for more on how passwords are attacked.)


Clearly, length is the key to a strong password. So why do so many services have rules that force you to create “complex” passwords, and why do so many password guides tell you that a “complex” password is a strong password?
Because a) they are sheep (“everyone else does it”), b) they don’t understand security, and c) they succumb to the prescient attacker fallacy, which is the faulty reasoning that an attacker knows how long your password is and what characters you used. Most discussions of password strength say things like “if your password is five numbers it will only take around 50,000 guesses, but if your five-character password contains mixed case, a number, and a special character, it will take over 3 billion guesses.” This completely misses the fact that the attacker doesn’t know what characters you put in your password, so it will always take them over 3 billion tries (if they guess randomly, which they don’t).
This is why “complex” passwords are not meaningfully more secure, and why services that force you to make your password more complex actually make things less secure. When the attacker knows there are restrictions, they can skip billions of guesses. For example, if the attacker knows that you must use at least one number, they won’t try guessing passwords that contain only letters. The typical rule that requires at least one lowercase letter, uppercase letter, digit, and special character in an eight-character password eliminates over three quadrillion passwords, or 54 percent! (See Password Constraints and Their Unintended Security Consequences.)
On top of this, complexity rules don’t meaningfully improve security, because humans are predictable. Analyzing patterns in cracked passwords shows that when people are required to follow the three-of-four rule (“you must use at least three of the following: uppercase, lowercase, numbers, special characters”), the most popular pattern is one uppercase letter followed by several lowercase letters, then two to four digits (“Spring2024” or “Qwerty123”). When faced with the four-of-four rule they just add a special character to the end, usually “!” (“Qwerty123!”). See Password patterns for more on predictability.
Restrictions merely create a stronger blueprint for predictable passwords.
Remember, the goal is to thwart an attacker who knows all about commonly used passwords and patterns and so-called “complexity”. The trick is to exceed the attacker's crack time threshold, and the best way to do that is with long passwords. In the password guessing game table above, you can see how each time you make a password one character longer it increases guessing time by days, then years, then centuries. This is for random guesses, but the principle holds true for smart guesses. In general, attackers give up after trying 8- to 10-character passwords. A 12-character password is very strong, and anything longer is even better.
3 Password guidelines for users
3.1 There are only three important guidelines:
1) Make it long. Make it as long as you reasonably can, partly depending on how often you’ll need to remember it and type it in, but at least 12 characters long. If it helps, use the National Cyber Security Centre’s approach and make a passphrase from three random words you’ll remember.
2) Make it unique. Don’t use a password on one of the common password lists. Attackers use a technique called password spraying, where they get leaked usernames and try them with common passwords. Check password uniqueness at Have I Been Pwned.
3) Don’t reuse it. Don’t use the same password for more than one important account. Attackers use a technique called credential stuffing, where they take your username and password stolen from one site and try it on hundreds of other sites. Of course it’s hard to keep track of more than 150 passwords, which is the average. Some research suggests its beneficial to reuse passwords at low-value sites to reduce memory overload. Or you might want to use a core password with variations to help with this. Choose a strong (long) password and then add something to it that you’ll remember for each different website.
A password manager will automatically do all this for you.
3.2 Common additional tips (that aren’t as important):
1) Don’t include personal or familiar information such as a date, name, email address, city, etc. This helps with brute force attacks (which use dictionaries of words, names, cities, dates, etc.), and it might prevent someone who knows you or can see your social media pages from guessing your password.
2) Don’t include words in a short password, but feel free to use words in a long password, often called a passphrase. As pointed out by XKCD, the entropy of a long passphrase is vastly better than a typical password, and it’s easier to remember. However, password cracking tools prioritize guesses based on dictionary words, so if your password is less than 14 or so characters, don’t put words in it.
3) Use symbols, uppercase and lowercase letters, and numbers. You might need to do this because of draconian password rules at websites that don’t understand password security, but otherwise, using a variety of characters only makes your password a little bit stronger (see note above).
3.3 Ignore common but mostly useless guidelines:
1) Don’t “use leet substitution.” “Pa$$w0rd” or “@dm1n” is barely more secure than “password” or “admin.” Password cracking tools have already analyzed the leet patterns in compromised password lists and incorporated them into their algorithms. (See Leet Usage and Its Effect on Password Security).
2) Don’t “make your password complex” by reversing words (“drowssap”) using numbers or single letters for words (8 for “ate” or U for “you), random capitalization (“DroWssAp”), condensing phrases to initial letters (“Il2EgP” from “I like to eat green peas”), and so on. This faux complexity gives you a false sense of security.
3) There’s no need to “change your password regularly.” Unless you know that a security breach has exposed your password, don’t bother changing it. It just eats up your time and adds to your mental load. It takes less time to visit Have I Been Pwned to see if your password has been compromised, and only then change it.
4) Don’t diddle with “Diceware to generate passphrases.” Some people swear by Diceware, but are you going to remember a randomly generated set of strange words such as “dobbs bureau valeur flash ababa synod”? And are you going to roll a die thirty times whenever you need a new password? The underlying concept of random, six-word passphrases is great, giving an average password length of 30 characters from the Diceware word list, but the process is too cumbersome. Maybe for just your most critical accounts. Better yet, follow the National Cyber Security Centre’s advice and make a passphrase from three or more random words you’ll actually remember.
3.4 Padding
An interesting suggestion from Steve Gibson is to strengthen passwords by padding them with sets of characters that are easy to remember and easy to type. His example takes the incredibly weak password “D0g” and adds 21 periods. As he explains, “D0g.....................” is stronger than “PrXyc.N(n4k77#L!eVdAfp9” because it’s one character longer, making it approximately 95 times harder to guess. This is a good way to meet guideline #1 above: make it long. You can come up with your own variations such as “((((((password))))))”, “////pass////word////” (preferably without actual words), and so on.
3.5 (Un)security questions
Every expert agrees that security questions are a bad idea. Many accounts have been compromised through password recovery questions. Some answers are very popular (around 30 percent of people worldwide say blue is their favorite color and around 20 percent of Americans say pizza is their favorite food), questions and answers tend to be repeated across accounts, and unencrypted answers are often revealed in data breaches.
Someone targeting your account may be able to dig up enough information about you (your hometown, the street you grew up on, schools you attended, where you got married, etc.) to answer recovery questions. Pew Research shows that 37 percent of Americans have never moved from their hometown.
If security questions are optional, leave them blank. If you are forced to answer them, obfuscate your answers and make them different for each website. For example, even if your “favorite food” is pizza, you could answer “pizpizPayP” for PayPal and “pizpizBoA” for Bank of America. (Not that these specific services are foolish enough to use secret questions, but you get the point.) Some services require multiple questions and don’t let you use the same answer, so you could answer “MyMotherIsACar_drycln_school,” “MyMotherIsACar_drycln_pet,” “MyMotherIsACar_drycln_job” for questions that your dry cleaner’s website asks about your high school, pet, and first job. (See NordVPN’s Which security questions are good and bad? for more suggestions, keeping mind that all security questions are bad.)
3.6 Writing down passwords
It's fine (really!) to write your passwords down, just keep the list secure, such as in a locked drawer or secret location. If recording your passwords makes it easier for you to remember long, strong ones, then by all means do it. Or use a password manager. Just don’t write them on sticky notes scattered around your desk.
If you keep the list on a computer or phone, make sure it’s protected by a unique and extra-long password. There are various ways to protect a list on your computer or phone. Apple Notes and Windows OneNote let you password-protect a note. You can keep a file safely in Apple iCloud, but make sure your AppleID password is very strong. A password-protected Zip file works almost anywhere. Microsoft OneDrive includes a "personal vault" to securely store files. The Apple Disk Utility lets you create a password-protected disk image. In Windows Pro you can encrypt a folder.
On the “we’d rather not think about this but it’s practical” side, someday you will die, and your loved ones may desperately need to access your important bank accounts, brokerage accounts, cryptocurrency keys, etc. so it’s a good idea to give your list of passwords to a trusted person or two.
4 Supplements and alternatives to passwords
Security experts all agree that passwords are not secure. If everyone created very strong passwords and remembered them, it wouldn’t be so bad, but we know most people are bad at coming up with good passwords. Passwords are based on a person remembering a secret, but the more secure a password is, the harder it is to remember it. Passwords can be shared, guessed, stolen, and cracked. Computers get faster every year, making it easier to crack passwords. Quantum computing is just around the corner, and it will make password cracking exponentially easier. The only way services you log into can check your password is by storing a scrambled version of your password, and although there are robust techniques to protect password data, too many services don’t guard them properly. Last but not least, passwords are a pain to type in, although password managers help with this.
There are various approaches and industry initiatives to move beyond passwords with more secure alternatives, but they all have drawbacks when compared to the simplicity of storing passwords in your brain. Most alternatives rely on a physical device (such as a computer to respond to an email or a mobile phone to check your fingerprint), so if the device is not available or not working, you’re either locked out or you have to use a workaround.
Some approaches add a second layer of security on top of a password. Because there are two or more factors, the password and an additional step or two, this is called multi-factor authentication (MFA).
Another approach is passwordless authentication. Some methods are kludgy, like e-mail based “magic links,” and other methods such as such as passkeys are secure and starting to be embraced. Some passwordless authentication for websites has you respond to a prompt on your phone or tablet. Apple and Google have built this into their phones. Other companies such as credit card services use their own app. The biggest problem with this approach is that each implementation is proprietary, nothing is consistent, and you may not have the right app installed. Passkeys will probably replace and simplify this passwordless patchwork.
Passwords will likely never go away, but over time we’ll see new authentication techniques be more widely used.
The rest of this section covers the most common additions and replacements to passwords.
4.1 Password managers
A password manager is software that generates passwords for you and automatically enters them as needed, so you don’t have to remember them or type them. Most modern browsers have a built-in password manager to remember your existing passwords and to suggest new ones for you. Many people don’t realize that when they visit a website and their username and password are filled out for them, it’s the browser doing it, not the website.
Alternatively, dedicated password manager applications can be installed on computers and phones, can work across multiple browsers and devices, and can often store other information such as credit cards.
Advantages of password managers:
- Strong passwords – Password managers create strong (long, unique, and unpredictable) passwords.
- No memorization – You only need one, strong password for the password manager, which protects all your other passwords. You no longer have to reset passwords that you forgot.
- Autofill – Your usernames and passwords are automatically typed for you.
- Reduce error – No wrong password problems.
- Phishing protection – Passwords are associated with only one URL, so if you are tricked onto a fake website, the password manager won’t enter your password for an attacker to steal.
- Support for passkeys – Many password managers can manage your passkeys.
- Breach notification – Some password managers have a service to notify you if your username or password is leaked in a data breach.
- Secure storage – Passwords are strongly encrypted and protected with a master password and often a second factor.
- One-time passwords – Some password managers can generate one-time passwords (OTPs) and autofill them.
- Sharing – Some password managers allow you to securely share your password with someone using the same password manager. (Of course, this is only a good idea if the password is for a shared account.)
- Info vault – Some password managers can securely store additional information such as credit cards, account numbers, answers to password recovery questions (which can be deliberately wrong to increase your security), personal information, and even files.
- Corporate deployment – A few password managers allow an organization to centrally manage employee passwords.
Disadvantages of password managers:
- Single point of failure – Password managers don’t store your master password for security reasons. You have to know it. Some give you a recovery method. If you lose your master password and recovery info, there is no way to recover your passwords.
- Incompatibility – Password managers don’t work with many apps and devices (such as smart TVs), and might not work on some websites, in which case you must manually enter a very long and complicated password after looking it up in your password manager.
- Unavailable on non-owned devices – If you want to use someone else’s computer or phone, or a public computer, your password manager is not there to log you in. If the password manager is available on another device you have with you, such as your phone, you can look up the password and type it in, but this is cumbersome and could expose you to a phishing attack.
- Cost – Some are free, including those built into browsers, but the better ones require purchase or subscription.
- Complicated – Some password managers may be a little tricky to learn and use.
- Attackable – Password managers can be hacked, especially if your device is infected with malware. Breaches of encrypted password manager data in the cloud are unlikely but have happened (also see Password Managers Hacked: A Comprehensive Overview).
- Loss of control – Your passwords are controlled by a company, not you. They’re usually stored in the cloud, where you have no control over their security. (There are a couple of password managers that give you control over your passwords.)
- Legacy insecure passwords – Research shows that almost half the users of password managers don’t use the secure password generation feature, and instead load in their old, insecure passwords. This isn’t the fault of the password manager, but it creates a false sense of security.
- Unavailability – If the password manager service can’t be reached, or the software fails, you might not be able to access your passwords.
- Phishable – Password managers prevent phishing for site-specific passwords by refusing to enter them into the wrong website, although the auto-fill feature of some password managers has been fooled by hidden forms or iframes. However, you could be lured to a fake app or website that looks like your password manager, where you enter your master password and give the attacker access to all your passwords. (Which is why you should always use MFA or a passkey to protect your master password.) (See 5.3 for more on phishing.)
- Password mismatch – Some websites may appear to accept a password but internally strip characters or truncate to a maximum length, so the generated password doesn’t work, and your next login attempt fails.
4.2 Multi-factor authentication
A factor is way of confirming your identity. The most common factor is a password. The three primary factors are:
- Something you know (knowledge) – unique information such as a password, pin, or unlock pattern.
- Something you have (possession) – a phone app, a text message, an email message, a USB key, or such.
- Something you are (inherence) – a physical characteristic or biometric such as your fingerprint, face, retina, or voice.
Two additional factors are sometimes employed:
- Somewhere you are (location) – at your home, in your car, at the office, or so on.
- Something you do (behavior) – the rhythm of your typing (keystroke dynamics), the way you tend to move a mouse or interact with a touchscreen, or so on. Note that unlike biometrics, a behavioral factor is dynamic and can change over time.
Multi-factor authentication (MFA) means you are asked for two or more factors to provide extra security, like being required to provide a photo ID and a birth certificate when applying for a passport. The first factor is usually a password, but any combination of factors could be used. When there are two factors it’s often called two-factor authentication (2FA).
The obvious advantage of using MFA is improved security. MFA reduces the risk of account compromise by over 99 percent, even if your password is cracked and leaked. The obvious disadvantage is inconvenience. Studies indicate that around 60 percent of companies globally use MFA. The primary reason cited for not using MFA is inconvenience.
The strongest authentication factor is biometrics, measuring unique personal characteristics or behaviors that can’t be shared or mimicked. Biometrics are often the simplest, quickest, and least disruptive. You just look at a camera or touch a screen.
The second strongest factor is device possession, which obviously requires you to have a device, typically a phone.
Additional common authentication factors are:
- Text message – see 4.3
- Email – see 4.4
- Phone call
- Software authenticator – see 4.5
- Hardware security key – see 4.6
- Phone app (where you confirm to the service’s app that you’re trying to log in on a computer)
Part of the reason passkeys are so secure is they require device possession and often include biometrics. (See Are passkeys MFA? for more.)
2FA Directory helps you check what kinds of 2FA a website supports.
4.3 Text message authentication
Instead of entering a password, or as a second factor in addition to a password, you receive a text message at your verified mobile phone number with a one-time code that you type (or copy/paste) into the login screen. This is the most implemented second factor. It’s often called SMS authentication but can use any mobile messaging protocol such as SMS (Short Message Service), MMS (Multimedia Messaging Service), RCS (Rich Communication Services), or Apple iMessage.
Advantages of text-based authentication:
- Fast delivery – text messages are usually delivered within seconds.
- Widely available – over 90 percent of Internet users have a phone.
- Relatively easy to use – you must check your phone and type or copy a code, but you don’t have to set up another authentication device.
- Relatively simple for a service to implement.
- Marketing potential – for a service, this creates an opportunity to get phone numbers.
Disadvantages of text-based authentication:
- Vulnerable to phishing – a fraudulent party may try to get you to reveal the code.
- Not fully secure – SMS and MMS text messages are not encrypted; however, the risk from SIM swapping is highly overrated, see note below.
- Reliance on a mobile device and network – if you don’t have access to your phone, or you’re in a place where there is no mobile service, you may not be able to log in or may have to resort to a more roundabout method.
- You may be uncomfortable giving out your phone number, which may be abused by the service
- Some sensitive environments don’t allow mobile devices.
4.4 Email authentication
Instead of entering a password, or as a second factor in addition to a password, you receive a message sent to your verified email address. The email contains either a code (a sequence of letters and/or numbers) or a link (a web URL, sometimes called a “magic link”) with a code embedded in it. These are usually one-time codes, which means they expire after a short period of time, and once you use them, they don’t work again. (This is for security, so that if someone gets into your email they can’t log in to your accounts using old email messages.) When there’s a human-readable code, you type (or copy/paste) it into the login screen. When there’s a link, you click or tap on the link to log in.
Advantages of email-based authentication:
- Widely available – Over 90 percent of the world uses email.
- Resistant to phishing – when a link is used instead of a code. A fraudster on the phone can’t ask you to tell them the contents of the link, since it’s rather long. Although they could ask you to text or email it.
- Relatively easy to use – You must open an email app but don’t need to have a phone or another authentication device.
- More secure – One-time codes or links can’t be re-used. Can replace passwords, which could be cracked).
- Reduces memory load – You don’t have to remember a password.
- Customers may be more comfortable providing their email address than their phone number (e.g., for text-based authentication)
- Inexpensive or free – Avoids the possible charge of receiving a text message.
- Simple for a service to implement – Cheaper than sending text messages
- Marketing potential (for the service, it creates an opportunity to get customers’ e-mail addresses)
Disadvantages of email-based authentication:
- Vulnerable to phishing – when a code is used instead of a link, a fraudulent party can try to get you to check your email and share the code.
- Low security – If an attacker compromises your email address, they can attempt to take over your accounts using email authentication.
- Inconvenient – You have to check email. There may be a delay in receiving the email or it may get lost. You may have to switch between desktop and phone if you’re logging in on one device but get your email on a different device.
- Can be mistaken for spam – You must take extra time checking your junk mail folder. Strong spam filters may block you from accessing the authentication email at all.
- Relies on email – If you can’t access your email, you may not be able to log in or may have to resort to a more roundabout method.
- Marketing – You are required to provide your email address, which may be abused by the service.
4.5 OTP software authenticators
A software authenticator app shows short codes that you type in as second login step. The code, usually six digits, is a time-based, one-time password (TOTP), which changes every 30 seconds or so. Many software authenticators run only on mobile phones or tablets, but the code can be typed in on a computer.
There’s a one-time setup process, where the authenticator app talks to the service that you want to log into and receives a shared secret key, or seed, often via scanning a QR code. After that, the app displays the current authentication code for each registered service, based on the current time. When you log in to a service, you check the authenticator app and type the current authentication code. The service generates its own code based on the secret key and the current time. If the two codes match, then you are authenticated.
A software authenticator is sometimes called a soft token or a software-based code generator. Popular software authenticators include Apple Authenticator, Authy, Google Authenticator, Microsoft Authenticator, Duo Mobile, Aegis Authenticator, and 2FSA. Most password managers (see 4.1) have a built-in OTP authenticator.
Most software authenticators provide encrypted backups or exports that make it easy to move to a new phone or another device. However, some backups/exports can’t be moved between different types of devices, such as Android and iPhone.
Some software authenticators also support HOTP (hash-based message authentication code [HMAC]-based one-time password, commonly called event-based OTP), where the code changes each time there’s a new login instead of every 30 seconds or so. HOTP is not as common as TOTP.
Software authenticators are being superseded by passkeys, which don’t require looking up numbers and typing or copying/pasting them.
Advantages of software authenticators:
- Secure – One-time passwords can be used only once, and time-based passwords change frequently, reducing the window of attack.
- No Internet connection is needed – After the initial setup, the codes can be generated and used offline.
- Simple – Setup is usually easy, often only requiring you to use the authenticator app to scan a QR code presented by the service. Entering a six-digit code is not too difficult.
- Free for users to install.
- Relatively inexpensive for implementers to support.
Disadvantages of software authenticators:
- Vulnerable to phishing – Attackers can try to fool you into telling them the code or entering it into a malicious website.
- Vulnerable to attack – The key is a shared secret stored in the authenticator and at the service. If the key is stolen from the service, or if your computer or phone is compromised or stolen, legitimate codes could be generated.
- Third-party trust – TOTPs add another step between you and the service you’re logging into, requiring you to trust the third party to be secure.
- Inconvenient – Requires you to open and use an application, usually on a mobile phone, and type or paste a code.
- Additional point of failure – If the app doesn’t work or the phone is not available, you may not be able to log in, or you’ll have to use an alternative login. If you get a new phone and don't have a backup of your MFA accounts, you'll have to redo everything.
- Could be prohibited – Some sensitive environments don’t allow mobile devices.
4.6 Hardware security keys
Note to readers: Unless your company requires you to use a hardware key, or you’re a security fanatic, you should skip this section. It gets rather complicated.
A hardware security key (alternatively called a hardware authenticator, hardware token, FIDO key, OATH key, OTP token, or hardware-based code generator) is a thumb-sized or credit card-sized device that stores cryptographic keys as part of a second login factor or in place of a password. In some cases, it’s a secure chip built into your phone or computer instead of an external device.
There are three main protocols used by hardware authenticators:
- OATH (TOTP and/or HOTP) – The hardware equivalent of a (software authenticator, where the device generates one-time password (OTP),
usually six digits. This is the least secure of the three. See
4.6.1 for details.
(Note: this is more precisely an OTP authenticator, which is different from a FIDO authenticator, which uses public/private keys.) - FIDO U2F/CTAP1 – A standard interface for connecting to compatible browsers and operating systems over USB, NFC, or Bluetooth to provide a second login factor using public/private keys. See 4.6.2 for details.
- FIDO2 – A standard for passwordless authentication using passkeys that can be stored in a hardware security key. FIDO2 is the most secure of these three protocols. See 4.8 for more on passkeys.
Many hardware keys support all three protocols. Some hardware security keys support additional protocols such as PIV/FIPS 201 for smart cards, OpenPGP, and Yubico OTP, but these are less common and not currently covered here.
There are four common ways for hardware keys to connect:
- USB – You plug the hardware key into a USB port on your computer or phone.
- NFC – The hardware key uses wireless NFC (near-field communications; the same technology used for tap-to-pay) to send a login code to your phone, tablet, or (rarely) computer.
- Bluetooth – The hardware key uses wireless Bluetooth to send a login code to your phone, tablet, or (rarely) computer. In some cases, your phone can act as a hardware security key using Bluetooth.
- Display – The hardware key displays the one-time code on its built-in screen for you to type into the login page. This only applies to TOTP and HOTP.
Hardware security keys are becoming less common now that modern phones can use passkeys for more secure and passwordless login, except in cases where high security is needed.
Hardware security keys are often centrally deployed by large companies.
Common devices include the Yubico Security Key or YubiKey, Google Titan, Deepnet SafeKey or SafeID, HID Crescendo, Kensington VeriMark, Nitrokey, SoloKey, Feitian OTP, RSA SecurID, Symantex Vip, Thales eToken Pass, and Vasco Digipass Go.
4.6.1 OATH OTP hardware security key
An OATH hardware key (also called an OATH token, OTP token, or OTP generator) is the hardware equivalent of a software authenticator that generates one-time codes (OTPs), usually six digits, that you enter during the login process. The primary advantage of a hardware authenticator is that it’s more secure than a software authenticator, and a single hardware key can easily be used across multiple devices (laptop, phone, tablet, etc.).
Some OATH hardware keys show the code on a built-in display. Others don’t have a display, so they rely on authenticator software installed on your phone or computer to retrieve the codes from the hardware key and show them. Some authenticator apps can automatically type the code into a login page. Note: Don’t confuse a hardware key’s associated software authenticator with the software-only authenticator described in 4.5.
There are two OTP protocols: TOTP (time-based one-time password) and HOTP (hash-based message authentication code [HMAC]-based one-time password, commonly called event-based OTP). TOTP is more popular, although many hardware tokens support both.
There’s a one-time enrollment process, where you connect to a service’s website or app and choose the option to use an OATH TOTP or HOTP security key for authentication (or choose the generic “authenticator” option). You need to get the shared secret key or seed from the service, usually by scanning a QR code or by typing (or copying/pasting) the secret key that the service shows you. (Some hardware keys are preprogrammed with one or more seeds, so they must be specially configured.) You edit or type a name to identify the service (e.g., Google, Facebook, My Bank, etc.) so you can find the right OTP code later, if you use multiple services.
Once the device has the secret key, it feeds it into a cryptographic algorithm to generate a one-time code based on the current time (for TOTP) or the time that has elapsed since the enrollment process started (HOTP). You enter the code on the setup screen so the service can make sure it matches the code it generated from its own copy of the secret key.
From then on, each time you want to log in, you insert the hardware key (if it’s USB) or hold it near your computer or phone (if it’s NFC or Bluetooth) and perhaps tap a spot or press a button to see the current list of codes, each identified by the name you gave it. Some hardware keys have a fingerprint reader or a keypad to enter a PIN for added security, or the associated authenticator software may give you the option to add a password for the key.
4.6.2 FIDO U2F hardware security key
A U2F security key (or FIDO key or OTP token) plugs into a USB port on your computer or phone, or uses wireless NFC (near-field communication) or BLE (Bluetooth low energy) to respond to a login request by sending an encrypted message through your computer, phone, or tablet to the service you’re logging into.
There’s a one-time enrollment process, where you connect to service’s website or app and choose the option to use a security key for authentication. For a USB key, you’re prompted to plug it in and usually tap a spot or press a button on the device. For a wireless key (NFC or BLE), you may be prompted to tap it against your phone or computer and tap a spot or press a button on the key. Some hardware keys have a fingerprint reader or a keypad to enter a PIN for added security. You are usually prompted to enter a name for the service so you can select it later when logging in. A public/private key pair is generated, the private key is securely stored in the hardware key, and the public key is sent to the website or app. (See note for more.)
4.6.3 Advantages and disadvantages
General advantages of hardware security keys:
- Physical factor - You have to possess the device to log in, reducing the risk of unauthorized use.
- No Internet connection is needed – After the initial setup, the codes can be generated and used offline.
- Simple to use, although enrollment can be confusing.
- Many support all three protocols: OATH, FIDO U2F, and FIDO2 (passkeys).
Advantages of OATH (generating an OTP):
- More secure than software authenticators, since the secret key (seed) is stored in tamper-resistant hardware that’s difficult to hack.
- One-time passwords can only be used once, and time-based passwords change frequently, reducing the window of attack.
Advantages of FIDO U2F and FIDO2 (using USB, NFC, or Bluetooth to send code):
- More secure than software authenticators, since they use private keys that are stored in tamper-resistant hardware that’s hard to hack, and the service only has the public key.
- Immune to phishing – You don’t see the login code sent by the device, so you can’t be tricked into giving it out.
General disadvantages of hardware security keys:
- Limited number of accounts – Some older or simpler hardware keys can only support one account. Others can store 10, 30, or more than 100.
- Can only be used as a second login factor, not for passwordless login.
- Can be lost or stolen – potentially allowing unauthorized access (if your password is also compromised) until the old device is revoked at every service.
- Can break – Most are rugged, but they can be run over, dropped (especially bad if plugged into a laptop or phone that lands key side down), overheated, or just quit working.
- Inconvenient – You have to carry a hardware device. USB-only versions must be plugged in. If the device doesn’t work or is not available, you may not be able to log in. If the device is lost or stolen, you must revoke it at every service and reregister with a new device.
- USB-only keys don’t work with many phones.
- Don't work everywhre – May not be supported by your computer or by the service doing the authentication. In some cases, you might need different hardware keys for different services.
- Typically cost USD $20 to $95.
- Deploying and managing devices for a large group of users can be complex and time-consuming.
Disadvantages of OATH (generating an OTP):
- Hardware keys without a display require you to download and install software. The software interface can be confusing.
- Vulnerable to phishing – An attacker can try to fool you into revealing the code (see 5.3).
- Shared secret – The key is stored in the authenticator and at the service. If the key is stolen from the device (unlikely) or the service (more likely), legitimate codes can be generated.
4.7 Biometrics
Biometrics (“life measurements”) are a way to recognize a person based on their unique physical characteristics such as fingerprint, voice, iris, or behavior (e.g., unique patterns in the way they type, speak, walk, move a mouse, and so on.) For authentication, biometrics are the “something you are” or “something you do” factor.
In general, especially with modern mobile phones, biometric authentication using fingerprint or face recognition is more secure than a password. Because biometrics are typically a very secure factor, they’re sometimes used alone, without a second factor.
In almost all cases, part of what makes biometrics secure is that your biometric data is not shared or sent anywhere, or even stored in the device. The fingerprint image or face scan is transformed into a simple but still unique value, typically by hashing, which can be easily checked by the local device. The device then authorizes unlocking or sending an authentication key to the service you’re logging into. (See 4.8 for how this works with passkeys.)
Consider the keys to strength from section 2. A biometric hash is long (usually 32 bytes) and therefore hard to guess, it’s unique (it only matches you), it can’t be reused or stolen from a service (since it’s stored only on your device). On top of that, it’s resistant to phishing (you can’t tell it to someone or enter it into a fake website).
4.8 Passkeys
In a future utopia, we’ll use passkeys everywhere instead of passwords and other login mechanisms. A passkey is essentially a secret code, securely stored on your phone or computer, that logs you into a website or app. When you’re presented with the option to “use a passkey,” you (usually) don’t need to enter a username or password — you just take the usual step to unlock your device with your fingerprint, face, PIN, or pattern. If your passkeys are stored on your phone but you’re logging into a website or app on your computer, you confirm on your phone, wirelessly or by scanning a barcode, and your phone tells your computer to let you in.
Passkeys were developed around 2018, and began to be adopted in 2022, in an attempt to deal with all the password problems discussed above: weak and predictable passwords, password reuse, breaches of stored passwords, human error, phishing attacks, overload from dealing with too many passwords, and so on.
The important difference with passkeys is that you never know them: you don’t think them up, you don’t have to remember them, and you don’t type them. Instead, you use software or hardware that manages the passkeys for you.
A passkey involves two factors — a device and an unlock step, so they can be used instead of passwords and second authentication factors such as a text message or email. (See Are passkeys MFA?)
Passkeys are more secure than passwords and most other login methods, and in some cases they’re simpler and faster, but unfortunately many passkey implementations are complex and confusing (see Passkeys Remystified - coming soon). Many websites and apps don’t support passkeys. Poorly implemented applications may use a passkey and still require a password. Password-free utopia is still many years away.
Passkeys use the more modern approach of public/private encryption in place of the less-secure shared-secret approach used by passwords and OTP authenticators (see 4.5 and 4.6). In simple terms, when you first set up a passkey to log in to a service, your device generates a private key that it keeps and a public key that it gives to the service. After that, when you want to log in, the service doesn’t ask for your username and password, instead it sends a message to your device asking it to authenticate that it’s you. Your device checks that it actually is you (scans your fingerprint or your smiling face, requires you to enter your unlock pattern, etc.), then signs the message (by encrypting it with the private key) and sends it back to the service, which verifies the signed message (by checking that your public key correctly decrypts the message), which proves it’s you trying to log in. Since the private key is never sent to service, it can’t be stolen. You don’t know the private key, so you can’t mistakenly give it to someone who’s pretending to be a legitimate service (i.e., you are invulnerable to phishing attacks). And it’s almost impossible to guess. (Using only 1024 bits results in more possible keys than there are atoms in the universe. In fact, if you squared the number of atoms in the universe, resulting in a mind-bogglingly huge number with over 150 zeros, it would still be way smaller than the number of possible keys.)
- On your computer or phone, managed by the operating system (OS)
- In your browser, managed by the browser’s password manager
- In a standalone password manager
- In a FIDO2 hardware security key (see 4.6)
When you first create a passkey, you’ll probably see several options for where to save it. You might have to select “Other ways to sign in,” “Try another way,” or a similar option to see them all. Your choice of where to keep your passkeys depends on what devices you have and how you use them.
If you use the same browser on multiple devices, such as Google Chrome on a PC and a phone, it’s best to keep your passkeys in the browser, since it will synch them to the browser on each device. If you use all Apple devices, such as a Mac and an iPhone, it’s best to keep your passkeys in iCloud Keychain, which will sync them to all your devices to be managed in the Passwords app. Windows 11 can sync passkeys to other Windows 11 PCs (as of fall 2024). Windows 10 can use passkeys but can’t (yet) sync them. If you mostly use a Windows computer and don’t use a phone much, it’s simpler to keep your passkeys in Windows so you don’t have to pull out your phone every time you log in to a website on your computer. If there are some websites or apps that you only use on your phone, you’ll want to keep passkeys for those websites/apps on your phone. If you use a standalone password manager on all your devices, you can keep your passkeys there, since most will sync passkeys across devices.
When you visit a website on your computer and log in with a passkey on your phone, you may be asked if you want to create a passkey on your computer. If you do, a new passkey is created, allowing you to log in on your computer without needing your phone. You’ll then have two separate passkeys for a single website.
The same passkey can’t be used at more than one service. This is by design, so that a passkey can’t be used to track you across multiple websites and services.
Learn more about using passkeys with:
- Microsoft Windows
- Apple Mac and iPhone and iPad
- Google Chrome browser
- Password managers: 1Password, Bitwarden, Dashlane, Keeper, LastPass, NordPass, Proton Pass, Roboform
- Hardware security keys: Yubico, Google Titan, Thales
Advantages of passkeys:
- More secure – Every passkey is unique and random. No one can guess your passkey or trick you into giving it to them (phishing). If a service is breached, your public key doesn’t do the attacker any good. Passkeys can’t be stolen when a service is breached. Passkeys can’t be intercepted by malware on your device or by someone tapping into your Internet connection.
- Simple, faster login – Potentially. Although there’s an extra setup step, and you may need your phone or other device to log in on your computer, the login process can be simple, since you don’t need to enter a username or password (and type it again when you get it wrong). Unfortunately, passkeys often don’t work as smoothly as they should. (See Passkeys Remystified - coming soon).
- Unforgettable – Since you don’t memorize passkeys, you never need to reset your password.
- Interoperable – Passkeys are (theoretically) sharable across all your devices, but as of 2025 there are still many problems.
- For implementers, less work and lower cost than using factors such as text message or email authentication (but only if you exclusively support passkeys for login).
Disadvantages of passkeys:
- Can be inconvenient – Although passkeys are ostensibly simple, you usually must confirm with a biometric scan or a PIN, sometimes on a separate device. On the other hand, a password manager simply autofills your username and password so all you need to do is click or tap the login button.
- Inconsistent user experience. Each browser, website, app, and OS presents passkeys in a different way, sometimes with different terminology, which can be confusing.
- Device dependent – Passkeys may be tied to a specific device, such as a hardware security key or phone, requiring you to have it with you and unlock it.
- Often don’t work on non-owned devices – It may be difficult or impossible to log in to a public computer or friend’s device using your passkey.
- Not always available. Passkeys rely on support from the service you want to log into, and from phone and computer operating systems, browsers, or apps, so they don’t work everywhere you might want them to.
- May lock you into a particular ecosystem (brand of browser or operating system). See Passkeys Remystified (coming soon).
- Could be restricted – Passkeys can’t be used from mobile devices in a sensitive environment where the devices are prohibited.
4.9 Federated identity and social login
Federated identity is where a single service shares your identity (your login credentials and other information about you) to multiple organizations, services, and applications. For example, if you use your Amazon account to login to websites or apps for Amazon, Goodreads, and Wordpress, Amazon is serving as your identity provider to all these services.
Federation can function within a single organization, in which case it’s often called single sign-on (SSO). For example, a corporation’s employees may be able to log in to different company applications (email, customer management, payroll, etc.) using a single username and password. You can log into Microsoft Windows, Word, Excel, Outlook, OneDrive, SharePoint, Skype, etc. using a single username and password or a single passkey.
Social login (or social sign-on, social authentication, or third-party authentication) is where one organization serves as an identity provider for other organizations. When you are about to sign up with a new service and are given options such as “sign in with Google,” “connect with Facebook,” “continue with Apple,” or “sign up with Microsoft” as alternatives to “sign in with email,” these are social login identity providers. Instead of signing up for a new account with your own email and/or username, and coming up with a new, unique password (you always do this, right?), you allow the social network to provide your identity and other info to the service you’re signing up for. Social login is a form of identity federation.
(Top social login providers, using their preferred logo, text, and button format.)
The biggest concern with using social login is that you cede more control of your digital identity and personal data to a single corporation. One whose goal is to make money off you. Instead of having isolated accounts at different services, you allow one business to aggregate and manage your identity. Social login makes it possible for multiple services to track you — and advertise to you. Social networks usually share information about you, including your name, birthday, picture, location, friends, and activities. Some social networks allow you to choose exactly what you share, others don’t. Apple gives you the option to have a random email address generated to hide your regular email address. Most give you a page to see what you’ve shared with whom. Here are the links to the sharing pages for Apple, Facebook, GitHub, Google, LinkedIn, Microsoft, and X/Twitter.
According analyses by login providers Okta and Descope, about one third of logins are social, with the most common being Google (by far), Apple, Microsoft, Facebook, Salesforce, GitHub, and LinkedIn. (Note that Microsoft owns GitHub and LinkedIn, but they operate as mostly independently identity providers, although, for example, LinkedIn may share data to enable personalized ads on Bing and other Microsoft services.)
A few federated identity providers are not social networks, such as Microsoft Azure AD and ID.me (used by government as well as healthcare organizations and consumer brands), but the functionality is similar.
Social login service providers such as auth0, Firebase, Okta/Auth0, OneAll, and OneLogin have APIs that make it easy for developers to offer social login for as many as 30 or 40 identity providers, although they recommend only presenting three or four to avoid a cluttered interface.
Advantages of social login for users:
- Easier – No need to create a new account.
- Faster – If you’re already logged in to the social network, you may just need to click a “continue with” button.
- Less password overload. You don’t need to keep track of so many passwords.
- Trust – You may trust the social network to keep your password and other information safe more than you trust the service you’re connecting to.
- Social network integration – Some services feed fun or interesting data back into your social network account, help you connect to new friends, and so on.
Disadvantages of social login:
- Less control – Your identity and personal data are managed by the social network, which may share it and allow you to be tracked. (See details above.)
- Security weakness – Although social networks usually have robust security, some have had data breaches exposing millions of accounts. Individual accounts can also be hacked. If your social network account is hacked, it can potentially expose other services linked to it.
- Blocked access – Social networks may be blocked in schools, workplaces, and even countries, making it impossible to log in from those places.
- Where did I park my identity? – If you use social login from multiple networks, you may forget which one you chose for a particular website or app. This can be worse than forgetting your password if there’s no way to find out which one you used.
- Downtime – If the social network is unavailable, you may be unable to log in at other services.
- Login failure – The behind-the-scenes handshaking and credential passing is quite complex, and sometimes it fails, leaving you unable to log in.
Advantages of social login for implementers:
- Trusted users – Most social media services attempt to confirm that their users are real and trustworthy.
- Reduced tech support – Less need to worry about failed logins and forgotten passwords.
- Free authentication – You can avoid the work of developing a login module and rely on social login, which presumably has good security, monitors for attempted attacks, and so on.
- Data sharing – You may want access to the user information provided by the social network, or your model may benefit from feeding your users’ information into a social network.
Disadvantages of social login for implementers:
- Confusing interface – Your login screen may be cluttered with too many options.
- More complex implementation – You must implement the authentication process for each social network you select, unless you use a third-party signup/login portal that handles it all for you.
- Reliance on a third party – You place functionality in someone else’s hands. You’re stuck with their password policy with no control over aspects such as MFA or passkeys, and they may change their policy. Their bugs and outages affect you, their API changes force you to update your code, they may suspend users, change their developer policies, and so on.
4.10 Decentralized identity
A fundamental concern with creating accounts at online services is that they control and define your “identity.” They often require you to give them personal information. Or, if there’s information you want to give them, you end up entering it over and over at every service. They put you at risk for security breaches and identity theft. Regardless of whether you login with passwords or passkeys, or use social login (see 4.9), the ultimate solution to these problems is something quite different.
Instead of establishing an account at every service you need, you manage your own identity and data, and you choose the services you want to share with. This is called decentralized identity or self-sovereign identity (SSI). Instead of Facebook, Google, Microsoft, Apple, your bank, your health providers, and others managing your data and your online identity, you manage your own. The vision is to create a standards-based decentralized identity system that gives users and organizations greater control over their data while achieving more trust and more security for apps, devices, and services. You no longer have multiple accounts and usernames with multiple passwords or passkeys, you have a single identity or persona. Or you might have multiple personas: one for business, one for friends and social networks, and maybe an anonymous one for shitposting.
The core components are a decentralized identifier (DID) and associated verifiable credentials (VCs) or attributes that prove who you are and attest to information about you, somewhat like a digital driver’s license or passport. Your identity and your credentials are cryptographically secured, stored on a blockchain, and accessed using a digital wallet. (See Blockchain Demystified for more information.)
You create and own your decentralized identifier, and you rely on authorities and other trusted organizations to issue credentials that can be securely verified by others.
The ideas of decentralized identity have been around for a while, but it still isn’t standardized or widely supported. It holds great promise, and someday I will create an entire Demystified section to cover it. In the meantime, here are sources of more information:
Decentralized Identity: The Ultimate Guide 2024
Decentralized Identity Foundation (DIF)
The Global Identity Foundation
Advantages of decentralized identity:
- You’re the boss of yourself – You own and control your permanent digital identity with more privacy. You decide who has access to what personal data, and you can revoke that access at any time. (In theory, you can prevent your data being spread without your knowledge. In practice, you have to rely on services to not share your data and not store it insecurely so that it can be stolen.)
- Decentralized – Your data is on your own devices or blockchain, and you selectively share it with others. There is no centralized repository or other owner of your data.
- Private and secure – Your data is encrypted on a blockchain. Most requests can be satisfied with a question that doesn’t disclose details. E.g., “Are you older than 21?” “Are you a citizen of the UK?” “Is your credit rating better than 600”? “Are you eligible for financial aid?” (This type of request leverages zero-knowledge proofs or ZKPs.) Because you don’t disclose the details, they can’t be stolen or phished (see 5.3), which minimizes identity theft.
- Fraud-proof – Your identity and attributes are verified by an authority, so they can’t be forged or lied about.
- Limited demographic tracking. Because you only disclose what you want, online services, advertising services, and others can’t build profiles about you and track you as you browse websites and use apps.
- Less risk (for organizations) – Companies can issue or verify fraud-proof credentials and documents instantly. They can reduce the risk of cyberattacks and the costs and legal risks of data breaches by storing less information about their users.
Disadvantages of decentralized identity:
- It’s all on you – You are responsible for your own identity and security. Keeping track of personal data and permissions can be complex.
- Too many platforms – Unless things become more consolidated, you may need multiple identity platforms and multiple wallets to manage different kinds of information.
- Bad news for the bad guys – Decentralized identity could put thousands of hard-working scammers and fraudsters out of business.
5 How passwords are attacked
There are several ways someone can try to access your account or harvest your credentials. None of them are what you see in movies, where a nerd in a hoodie madly types guesses into a computer screen.
1) Password guessing – Repeatedly trying to log in with different passwords (explained in 5.1). This is sometimes called a brute force login attack, although variations such as credential stuffing (explained in 5.1.1) and password spraying (explained in 5.1.2) are more precise and effective, and therefore more common.
2)Offline cracking – Processing a data breach file to find passwords (explained in 5.2). If the stolen data was not protected, then no processing is needed, the usernames and passwords are just sitting there. Even when the passwords are protected by hashing, attackers use tools that know commonly used passwords and that understand the patterns we humans tend to use for passwords (explained in 5.2.1).
3) Social engineering – Fooling you or another person into providing access. You might get an email or text or see a social post or QR code that pretends to be from a real service or a trustworthy person, but links to a fake login page where the fraudster can steal your username and password (phishing, explained in 5.3). Or an attacker might call a service, pretend to be you, and convince the service representative to provide access to your account (impersonation, explained in 5.4) or to switch your phone number to the attacker’s phone so they can use your one-time login codes (SIM swapping, explained in 5.5).
4) Malware – Malicious software that tries to steal information stored on your phone or computer (aka spyware or infostealers) or that “watches” you type your username and password into websites and apps (keyloggers). Covered in 5.6.
5) Other less common methods, such as watching you type as you log in (shoulder surfing), finding your insecurely stored written passwords, stealing your phone or computer and attempting to hack it, intercepting login data sent over an insecure connection (man-in-the-middle or sniffing), or seeing a password foolishly sent over a public channel such as Slack or Microsoft Teams.
6) AI and neural networks – Research indicates AI can improve password guessing, both online and offline, although no mainstream password cracking tools have added AI as of the beginning of 2025.
The table below summarizes password attacks, how difficult they are to pull off, and how to defend yourself against them. Note that in some attacks, the strength of your password doesn't matter, but since you never know what might happen, you should use strong passwords for important accounts. See the references sections for detail about each type of attack.
Credential stuffing (5.1.1) Stolen usernames and passwords are tried at multiple websites. |
|
---|---|
Frequency | High. Tens of millions of accounts are probed every day. |
Difficulty | Easy. An attacker can obtain a list of breached usernames and passwords for use with an off-the-shelf tool. |
Defense | Don’t re-use a password for important accounts. Use strong passwords that won’t be cracked. Use a service to alert you if your account is breached. |
Password spraying (5.1.2) Usernames and email addresses are combined with common passwords and tried at multiple websites. |
|
Frequency | High. Tens of millions of accounts are probed every day. |
Difficulty | Easy. An attacker can get a list of usernames for use with an off-the-shelf tool. |
Defense | Never use common passwords. Use a service to alert you if your account is breached. |
Data breach cracking (5.2) Passwords are extracted from a data breach file using cracking software. |
|
Frequency | Medium, but it’s almost inevitable that one or more of your accounts will be exposed in a data breach. |
Difficulty | Breaking into accounts is difficult, but anyone can obtain breached data and run it through a free cracking tool. Ease and speed of cracking depend on the password hash used by the breached service. |
Defense | Use strong passwords. However, if the password data was unprotected, a strong password does no good. |
Social engineering / phishing (5.3 and 5.4) Someone tries to trick you into revealing your password or other sensitive data. |
|
Frequency | Very high. Billions of phishing emails are sent every day. |
Difficulty | Easy. Attackers can obtain an email list and use an off-the-shelf phishing kit. |
Defense | Educate yourself on phishing attacks and stay vigilant . Note: a strong password doesn’t help. |
Malware (5.6) Malicious software on your phone or computer steals sensitive information from files or by monitoring your typing, emails, and texts. |
|
Frequency | Medium. Roughly 30 percent of phishing emails contain malware, although many are blocked and only around 20 percent are opened. |
Difficulty | Easy. Developing malware is tricky, but “malware as a service” makes it usable by anyone. |
Defense | Don’t follow links or open attachments from unrecognized sources. Use anti-virus software. Use passkeys or multi-factor authentication. Note: a strong password doesn’t help. |
Local discovery Someone watches you enter a password or finds an insecurely stored written password. |
|
Frequency | Low. |
Difficulty | Hard, unless someone is sloppy. |
Defense | If you keep your passwords on paper, secure it. If you keep your passwords in a file, protect it with a strong password. Be aware when entering passwords. |
5.1 Password guessing
A password guessing attack tries to access an account by repeatedly entering guesses on a login page. These attacks are usually online and automated, where software emulates a human and submits guesses on a website. There can be manual attacks, where someone visits a website and tries to log in as you, or someone has physical access to your phone or computer and attempts to log into an app, but this is rare.
Online brute force guessing has limited success, since most websites and apps limit the number of attempts before locking out the account or adding a CAPTCHA (the little puzzle that asks you to prove you’re not a robot). However, an attacker who has gotten your email/username, and perhaps your password, from a data breach or other source can make login attempts over time and on multiple services, often without being detected or locked out. This is also called list cleaning or breach replay. Microsoft data shows there are over 4,000 attempted password attacks per second just on Microsoft accounts.
See credential stuffing and password spraying below for details.
5.1.1 Credential stuffing
Credential stuffing is an online attack that takes stolen usernames and passwords and “stuffs” them into the login pages of popular websites, looking for people who used their password more than once. Automated software runs through a list of thousands or millions of usernames and passwords, trying just one or two passwords for each username every so often, to avoid detection and lockout, and typically using multiple hijacked computers spread around the world (a botnet) to make it look like the attempts are not coming from the same place (a single IP address).
A famous example is the 23andMe data theft. An attacker used credential stuffing to break into 14,000 accounts. 23andMe has an optional feature to share information between relatives, which made additional information such as name, location, estimated ethnicity, birthplace, birth year, sex, and genetic and health data available to the attacker. The security of 23andMe itself was not compromised, but because 14,000 of their customers recycled passwords that had been compromised elsewhere, data from 6.9 million customers was compromised, almost half of their 14 million customers. In response, 23andMe required all their customers to reset their password, and added 2FA as login requirement.
- Don’t reuse passwords. If you already have, subscribe to a monitoring service such as Have I Been Pwned to be notified if one of your accounts is breached.
- Use MFA if available. It also tips you off when someone is trying to break into your account.
- Use passkeys when available.
5.1.2 Password spraying
Password spraying is an online attack that exploits the prevalence of weak passwords by combining the most frequently used passwords (such as Password1, 123456, qwerty, etc.) with lists of email addresses or usernames obtained from sources such as data breaches, user directories, or just educated guesses such as firstname.lastname@companyname.com. Automated software tries each username with all the passwords, targeting dozens or hundreds of popular websites, often using multiple hijacked computers spread around the world (a botnet) to make it look like the attempts are not coming from the same place.
Password spraying is even more effective when it uses only passwords that conform to the password policy of the target service and mixes target-specific information such as the user’s name, email address, and company name or products into the password.
- Don’t use weak or well-known passwords. See password patterns to avoid, or test your password at Have I Been Pwned or Weakpass.
- Use MFA if available. It also tips you off when someone is trying to hack into your account.
- Use passkeys when available.
5.2 Data breaches
A fundamental problem with passwords is that in order to log you in, a service has to be able to recognize that you entered the correct password, so they store it in a form that they can compare your input to. If an attacker breaks into the service’s system, they can steal password data.
Badly implemented services store unprotected passwords and other user information in a database or log. You’d think this would never happen, but it has. Facebook, Sony Pictures, Adobe, Equifax, Yahoo, Ancestry.com, Brazzers, YouPorn, Comcast, Neopets, and many others have suffered theft of unprotected passwords or security questions.
More careful services secure passwords by using a scrambling technique called a hash. But password hashes can be cracked, especially by powerful computer setups that use cracking tools to find the weakest passwords.
5.2.1 Cracking tools
Attackers use various software tools to extract passwords from a dump file stolen from a service. Dumps containing thousands or millions of usernames and passwords can be purchased on the dark web. Because processing happens offline (the cracker is crunching data on a computer system, not trying to log in online), there are no restrictions on the number of guesses or how quickly they can be made.
Services usually convert passwords to a hash to make them harder to crack if they are stolen. Password cracking (or hashcracking) tools attempt to get around this by using lists of known passwords and generating predictable passwords, each of which is hashed and compared with all the hashes in the dump file. If there’s a match, the password has been cracked.
Speed and effectiveness are limited by the strength of the hash function and by the processing speed of the cracking rig. Attackers can usually figure out which hash was used by looking at length, prefix, and other information or by trying different hashes on common passwords.
As discussed in section 2, an eight-character password made from the standard set of 95 characters has more than 6 quadrillion variations, and a twelve-character password has more than 540 sextillion. That’s a lot of passwords to guess, but even a standard desktop computer using the parallel processing power of an Nvidia GeForce RTX 4090 GPU (graphic processing unit) can crank through over 150 billion simple MD5 hashes per second. At that rate any six-character password hashed with MD5 can be cracked, on average, in less than three seconds, and an eight-character password in less than six hours. A newer, stronger hash, such as bcrypt, that takes longer to compute, slows this down to around 208 thousand hashes per second, or 19 days for a six-character password, but a more powerful cracking rig with twelve Nvidia cards can do it in less than two days. Unfortunately, too many services still use old hash functions (such as MD5 and SHA-1) that can be cracked quickly with modern hardware.
To be clear, you should take this and all other “passwords can be cracked in seconds” reports with a grain of salt. If a strong password is on a list of compromised passwords, it can be cracked in seconds. If you use predictable patterns, your password can be cracked in minutes or hours. If a company’s data is never stolen, the passwords can never be cracked. If you’re infected with malware, the strongest password can be snatched as you type it. The best protection is to be aware of any new breach with your account or password in it. Use a notification service such as Have I Been Pwned, Google Security Checkup, Apple Password Monitoring, Microsoft Password Monitor, or others, such as in some password managers.
Well-known password cracking tools include hashcat and John the Ripper. They use various modes to attempt to discover hashed passwords:
1. Known password lists. These are compiled from previous data breaches and successful password cracking work. For example, the (in)famous original RockYou file contains 14,341,564 distinct passwords, used with 32,603,388 usernames. (Those numbers alone show that 56 percent of the passwords occurred more than once.)
2. Dictionaries (cracking lists). These are extensive lists of common words and names (personal names, place names, company names, pet names, fictional characters, etc.), often ordered by frequency of use in passwords. Dictionary lists may also include known passwords.
3. Brute force (exhaustive search). The software runs through permutations of characters, generating huge numbers of possible passwords. Dumb or incremental brute force that slogs through all variations (aaaaaa, aaaaab, aaaaac, etc.) is possible but rarely used, as there are optimizations with more likelihood of success:
o Markov models that prioritize the most likely passwords first. A simple Markov chain connects characters together according to the probabilities that one will follow another. A layered Markov model can include the probability of a character being in a certain position in the password. (This is hashcat’s default brute force mode.) Markov models are generated from lists of leaked passwords and can then be used to produce all the possible passwords of a given length, ordered by probability.
o Masks prioritize certain patterns such as all lowercase or all numbers (see note).
o Transformation or mangling rules modify dictionaries by varying uppercase and lowercase, doing leet substitutions, adding numbers or symbols, mixing words together, and so on.
4. Hybrid attack. Combining known or guessed information with any of first three modes. For example, if an attacker knows your birth year, the software can combine it with known passwords and dictionary words. (This also called associative attack.)
It should be obvious that when you’re trying to create a strong password, your first goal is to avoid it being found by the first two modes (make it unique) and your second goal is to prevent it being found by the remaining modes (make it long and unpredictable).
In most new data breaches, over 60 percent of hashed passwords can often be found in previous data breaches (per haveibeenpwned posts). According to a 2023 analysis by Kaspersky, 59 percent of 193 million actual passwords could be cracked from a hashed password list in less than an hour using an off-the-shelf Nvidia GeForce RTX 4090 card. This is partly due to modern GPU processing power and partly due to list attacks and pattern attacks being disturbingly effective. The study found that 57 percent of the passwords included a dictionary word.
For more on password cracking, see Password Village, the hashcat FAQ, and the r/hacking tutorial.
5.3 Phishing
Phishing is a social engineering scam using fraudulent emails, websites, text messages, phone calls, or other communication in an attempt to trick you into revealing sensitive information such as usernames, passwords, and credit card details. The term probably evolved from phreaking (phone freaking), which referred to exploiting phone systems in the 1960’s and 70’s, combined with fishing. Over 20 percent of data breaches are a result of phishing.
Phishing typically has three phases:
1) Hook – An email, text message, QR code, social media chat, phone call, or other method to connect to potential victims.
2) Bait – The motivation to take the hook. This usually plays on human nature and emotions (see below).
3) Catch – The mechanism for divulging info or giving money: a fake website, a malicious attachment, a fake browser update, a person on the phone, fraudulent invoices or orders, or bogus PayPal or Venmo requests.
Email is the most-used hook. Over 95 percent of social engineering attacks use email. In 2024, scammers sent over 3.4 billion phishing emails each day.
Phishing relies on human fallibility and our inclination to trust. It manipulates your emotions to put you into a state where you aren’t as thoughtful and cautious as you normally might be:
- Greed – there’s money, a reward, incredible purchase discounts, or an exclusive offer.
- Urgency or panic – something is alleged to have happened to a family member or friend, you’re going to be fined or arrested if you don’t act immediately, your account has been suspended, there are fraudulent charges on your credit card, there’s a limited-time offer.
- Fear – you’re told you have been infected with a virus, your company computers have been breached.
- Curiosity – your package can’t be delivered, or there’s something amazing / disgusting / horrific / secret / whatever that you don’t want to miss.
- Compassion – people need support after a natural disaster.
- Trust – impersonating an authority or reputable organization, often a software security company to lend credence.
- Guilt – you’ve missed a payment, or made a mistake that you need to fix, or someone knows about those inappropriate websites you visit.
- Romance or friendship – someone befriends you, gains your confidence, then asks for money or personal information, or even tries to extort you.
Warning signs of phishing and what to do:
- Unknown sender – Check the message carefully, and don’t open attachments or click or tap on links.
- Request for sensitive info – your login information, credit card number, or other personal info. Don’t give this information to anyone who initiated the contact with you, even they claim it’s for “verification purposes.” Instead go to the official website or call the official number.
- Request to share a login code or one-time password – Legitimate companies never ask for this.
- Appeal to emotion – (See the list above.) Think twice about any email that triggers your emotions and then asks you do something.
- False urgency or pressure – Be dubious about “last chance!” and “limited time!” offers.
- Unusual payment methods – such as gift cards, cryptocurrency, or wiring money (e.g., Western Union).
- Unexpected notification – of an order, a delivery, a payment request, and so on.
- Undelivered mail notice in your inbox – Check the destination email address. If it’s not familiar, don’t open any attachments.
- An email address or web link that doesn’t match the text or the sender – For example, apple@secure-services.com, fedex@pkgtracker.net, or an email that says it’s from Best Buy but has emilybronte@evilserver.ru as the return address. Check the sender and return address (both can be spoofed). On a computer, hover the mouse over links to see if they lead to suspicious or non-matching websites. Don’t click on suspicious links. Instead type the official company or organization name into your browser.
- A message or call from a large organization contacting you personally about a virus, a software update, or something similar – Companies with thousands or millions of customers won’t call you directly, and they especially won’t ask for your password.
- Misspellings and grammar errors – Messages from legitimate organizations are (usually) well written. Train yourself to look for incorrect company names and bad writing.
- Odd language that’s inappropriately formal or informal – If something seems off, double check the message.
- An email from yourself – Email senders can easily change the from: address in an attempt to trick you (called spoofing). Using your email address as the sender might fool you into thinking the message is legitimate, but it’s a sure sign of a scam. (Unless you did send an email to yourself.)
- Deliberately similar URLs – For example, microsofts.com or googlmail.com. Check email addresses and web URLs carefully.
- Substituted letters (homographs) in URLs – For example, none of the letters in “ηєţβαηĸ” are standard. Check email addresses and web URLs carefully.
- Unknown number – A blocked or unidentified phone number, number that you don't recognize, or number with a country code that doesn’t match yours.
- Instructions to install an app or run a command – For example, in Windows, pressing Windows-R and typing something; on a Mac, opening the Terminal app and typing something. Don’t blindly follow instructions to type commands on your computer, even if the person claims it’s safe and will fix something.
- Unknown QR codes – Unless you trust the source, use a QR reader that shows the link, and check it before you tap on it. Check the URL of the website after you follow a QR code to make sure it looks right. Even for seemingly legitimate public URLs, such as in a pay parking lot, be careful. Scammers may paste their own fraudulent QR codes on real signs.
- Shortened URLs from an unrecognized source – For example, tinyurl.com/trustme or bit.ly/3pt7mss. If there’s a shortened link that you’re not sure about, first use a link checker to see the full URL.
It used to be relatively easy to spot fishing attacks because of misspellings, bad grammar, and so on, but unfortunately artificial intelligence (AI) is making it easier to craft believable emails and even deepfake video or audio clips that look or sound like a relative, a friend, or a celebrity. If you get an unexpected video or phone call that urgently asks you to pay money or provide personal info, pause and think carefully. Check for deepfake giveaways such as unnatural blinking, odd eye movement, mouth of out sync with voice, shifting or blurry images, odd background, distorted voice, or voice inconsistencies that don't match the person's normal speaking pattern. If you’re at all suspicious, call the person directly to see if it was really them.
You can help keep others from becoming phish food by reporting attempts. Many email services have a "report phishing" option, and many online services have a phishing@<service>.com email address.
See 19 Most Common Types of Phishing Attacks in 2025 and the NCSC’s Quick Guide: Phishing for more information and advice.
5.4 Impersonation and pretexting
A common social engineering technique is to impersonate someone or pretend to be a legitimate company. This can happen offline (e.g., over the phone) or online (e.g., a fake login page). Also called pretexting, especially if the scam artist presents a fabricated but believable scenario to manipulate the victim into providing information. Also called blagging in the UK. Over half of phishing campaigns aimed at consumers impersonate known brands.
Impersonation is often the second phase of phishing (see 5.3.). It’s particularly prevalent in business email compromise (BEC), where the scammer either takes over or falsifies an email account and impersonates a trusted figure within a company or a trusted partner company such as a vendor or a law firm.
5.5 SIM swapping
A social engineering impersonation fraud, also called SIM hijacking, where the attacker calls your mobile phone service with sufficient personal details to pretend to be you and convince the support person to move your phone number to their SIM (subscriber identity module). They’ll claim the phone was lost or stolen, or a new purchase. In some cases, an employee is bribed to transfer numbers.
Once the attacker is in control of your phone number, they can attempt to log into your accounts or reset your passwords at any service that relies on text messages or automated phone calls.
This is a rare attack that’s overhyped. See “Is SMS insecure?” above.
Even though the risk of SIM swapping is low, you can protect yourself by visiting your mobile phone service website or app and finding the option to turn on SIM protection. (Note: this is different from the SIM lock or SIM PIN feature on your phone, which is used to prevent access to cellular data networks.)
Don’t shy away from using text message login codes because you fear they are insecure. The added security of a second login factor dwarfs the low risk of a SIM swap.
5.6 Malware
Malware is malicious software that gets installed on your computer, phone, or other device and steals sensitive information or causes disruption. Malware is often secretly installed in a phishing attack if you open an attachment or click on a link. Malware often masquerades as a software update.
Malware has been around since 2006 and is one of the primary ways passwords are compromised. The Specops 2025 Breached Password Report indicated that over a billion passwords have been stolen by malware. At least 71 million email addresses and passwords have been stolen by infostealers. Research by NordPass indicates that the top countries infected by malware are Brazil (9.6 million infected users), USA (6.9 million), India (6.9 million), Indonesia (5.3 million), and Vietnam (3.6 million).
- Spyware – searches for sensitive information stored on your devices or transmitted over email or website.
- Infostealer – spyware focused on stealing sensitive information such as passwords and credit card numbers.
- Keylogger – records all your keypresses.
- Trojan – disguised as legitimate software or hiding inside it.
- Remote access trojan (RAT) – gives the attacker remote control of your device.
- Virus or worm – emails itself to your contacts or copies itself to other devices on a network.
- Ransomware – encrypts all your data so the attacker can demand payment in return for the decryption key.
Malware that records information (spyware, infostealers, keyloggers) compiles it into a file (a stealer log) that it sends back to the attacker to analyze and crack (see 5.2) or to sell on dark webs. Spyware grabs specific files, such as browser cookies, browser secure storage for passwords and credit cards, crypto wallets, operating system password files. Spyware may monitor your clipboard, email, and web traffic looking for passwords and other info, and it may take screenshots.
Malware requires skill to develop, but now there is “malware as a service” (MaaS), which allows unsophisticated attackers to subscribe to an online malware service for a few $100 a month.
To protect yourself against malware:
- Don’t follow links or open attachments from unrecognized sources. (See 5.3 for more on recognizing and avoiding phishing attacks.)
- Use anti-malware (“antivirus”) software, preferably what’s built into your operating system. Third-party anti-virus software is available, but make sure it’s reputable. Never install software recommended by a pop-up that claims you have a virus — it’s a phishing attack.
- Keep all the software on your computer up to date. Install updates as soon as you’re prompted. Malware often exploits software bugs to gain access.
- Don't download warez. Pirated software is notoriously risky for carrying malware.
- Use passkeys when available. Passkeys use encrypted secrets that you never type, so they are highly resistant to malware.
- Use 2FA if available. Your username and password won’t work without the second factor, so it’s useless unless the malware is monitoring your email and SMS and attempting to log into your account in real time (which is unlikely). A side benefit is that an unexpected 2FA request will alert you that someone might be trying to get into your account.
- Register at Have I
Been Pwned or a dark web monitoring service to see if your email address or phone number
was exposed in a breach. If so, change your password immediately.
Note: Proactively changing your passwords has questionable value, since stolen passwords are usually exploited quickly. - Don’t re-use important passwords. This limits the damage if your password is stolen.
- Restart your phone once a day. Most phone malware can only run in memory, so turning your phone off and on erases it.
- If you are extremely concerned, or regularly attacked, enable lockdown mode on your Mac, iPhone, or iPad. Be aware that this limits the functionality of your device.
6 Guidelines for developers
This section provides advice and resources for software engineers and product managers.
6.1 Accepting passwords
Don’t be a sheep! Don’t blindly copy the annoying and counter-productive composition rules that too many sites and services use.
1) Require long passwords. Eight characters is the absolute minimum, but twelve is a better lower limit. Not to beat a dead horse battery staple, but length is the most important factor in password strength.
2) Block common or breached passwords. This takes more work but is the very best way to safeguard your users. When a new password is entered, check it against a block list of common passwords such as PwnedPasswordsTop100k or 10-million-password-list-top-100000.txt, or query a hashed database of compromised passwords such as the Have I Been Pwned API or the Weakpass API, or use an authentication portal that has a built-in block list. If the proposed password is on the list, explain to the user why it can’t be used, and tell them to pick a better one. A specious argument against blocking common passwords is that it inconveniences users. But it only catches users who need it the most, for their own good.
3) Don’t put restrictions on passwords other than minimum length. Don’t
require mixed case, numbers, or special characters. Don’t block repeated characters. Strict
composition rules weaken security by reducing
password entropy (see 2). The typical rules cut the number of
possible eight-character passwords in half, and they hinder the use of randomly generated
passwords. Password rules make passwords harder to remember and they frustrate your users. Bill
Burr, who wrote the original NIST guidelines recommending numbers and special symbols, now
recognizes that this was bad
advice. Multiple studies show the rules don’t help, and they give users a false sense of
security. These cumbersome rules are already incorporated into the toolkits of password crackers,
so they play right into the hands of the bad guys (see
5.2).
Advising (but not requiring) users to include special characters is helpful, but
the simplest and most important advice is to make the password 12 characters or longer (see 3.1).
4) Allow very long passwords, at least 64 characters.
5) Don’t restrict the set of characters allowed in passwords. Allow at least all ASCII printable characters (codepoints 33 to 126). If you encourage passphrases then allow the space character (but strip leading or trailing spaces). If you think you need to disallow characters such as & and \ to avoid parsing errors or SQL injection, that’s a screaming clue that you’re handling passwords incorrectly. They should go straight into the hash function before you do anything else with them. If for some depraved reason they need to be passed to another component, percent encode them. You could consider allowing all printable Unicode characters, UTF-8 encoded and normalized, but keep in mind that some devices such as smart TVs and phones don’t allow entering all Unicode characters, so you might want to protect your users from creating a password that they can’t type later on a different device.
6) Don’t force users to change their password unless you know it was breached. (See NCSC's advice against password expiry.)
7) Never use “security questions.” Despite their name, these are far from secure. Questions such as “What city were you born in?” “What was your high school mascot?” and “What’s your favorite movie?” are one of the primary ways accounts are compromised. An attacker has about a 50 percent chance of correctly guessing “What’s your favorite food?” for an American in just three tries with “pizza,” “steak,” and “hamburger.” Who has just one favorite movie? (See Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google.) And in any case using the same answer at multiple websites means that if one account is hacked, others could be compromised. If for some reason you can’t use email or text messaging to implement password recovery, let the user write their own question and answer.
8) If you’re too lazy to block common passwords, password strength meters have been shown to help users. But don’t use one erroneously based on “complexity” or entropy (see note above). Good password strength meters primarily measure length. (If the password is longer than 14 characters it’s stronger than any other silly measurement of “strength.”) Some password strength meters analyze patterns, some include block lists, and some use Markov models to estimate guessability. Don’t write one yourself, use a library such as DropBox’s zxcvbn or NuLabs’ zxcvbn4j, Chris Tetreault’s Password Strength or adapt NEMO. Even good password strength meters can incorrectly judge strong passwords as weak, so use it only to advise the user, not to reject passwords.
9) Encourage MFA, but don't require it unless you're a financial institution or you hold very critical information. When you implement MFA, don’t re-authenticate at every login, just for important activity such as changing password, email, credit card and other payment information, transferring money, or when a login occurs on a different device or a new location. (See NCSC Authentication methods: choosing the right type.) Don’t use a “magic link” email as the only login option (see 4.4).
10) Support passkeys. Passkeys are not yet sufficiently deployed, and some implementations are problematic and confusing (see Passkeys Remystified - coming soon), so as of 2025 it’s best to offer them alongside a password and MFA. (See the NCSC recommendation.)
11) Limit multiple login attempts. Throttling, with a progressively increasing time delay between successive login attempts, is preferred to account lockout, since it doesn’t frustrate users but provides sufficient protection from attacks such as credential stuffing and see password spraying. You may wish to add a CAPTCHA, but only after a few unsuccessful login attempts. Use both the account name and the IP address to track multiple requests, since botnets can vary the IP address for every attempt. Nevertheless, it’s a good idea to track total login requests from a single IP (regardless of account name) to detect distributed attacks.
Note for health and financial services: Don't buy into the myth that HIPAA and PCI DSS require specific types of characters in passwords. They don't.
6.2 Protecting passwords
- First, hopefully obviously, secure your entire system. The best way to protect password data is to make sure it’s never stolen. However, perfect security is impossible, and everyone makes mistakes, so following the best practices below will help minimize password cracking attacks if the data is breached.
- Always hash and salt passwords. It’s a good idea to add a pepper. Use a cryptographically secure pseudorandom number generator to generate a unique salt value for each password.
- Passwords should be hashed (with a one-way function), not encrypted (with a two-way function). A good password hash function is designed to be slow and use lots of memory for the express purpose of slowing down attackers (see 5.2.1). Don’t use fast cryptographic hash functions such as MD5, SHA-1, the SHA-2 family (SHA-256, SHA-512, and siblings), or obsolete password hash functions such as bcrypt, or two-way encryption algorithms such as DES, AES, RSA, and ECC.
- Use a modern hash function such as Argon2 that takes the salt as input along with the password. The pepper (a single value that’s the same for every password) can also be passed to Argon2 as the secret value K. If you’re using a hash function that doesn’t take a pepper (or an Argon2 library that doesn’t expose the K parameter), then the pepper can be combined with the password hash by using an HMAC function. E.g., Argon2(password, salt, pepper) or HMAC(Argon2(password, salt), pepper).
- Use the strongest hash you can, preferably Argon2id. If Argon2id is not available for your platform or language, use scrypt, or PBKDF2.
- Use an existing, tested library for your hash function. Libraries are available for most programming languages. Never try to write your own hash algorithm. You’ll just be reinventing a (wobbly) wheel. Unless you’re one of the top crypto experts in the world, your homemade hash won’t work as well as one of the published hashes. Ditto for the random number generator for the salt and the HMAC function for the pepper.
- The final password hash and the (unhashed) salt go together with the username in the database. The pepper is securely stored separately. To be clear, if the data is breached, the salt will be known to the attacker, which is as expected.
See the OWASP Password Storage Cheat Sheet for advice on hash functions, salting, peppering, and more.
If you store anything else in the database along with usernames, password hashes, and salts, such as first name, last name, birth year, phone number, and other profile info, encrypt it (with a two-way function, not a hash). Never store any user information unencrypted. If your application requires searching any of the data, use searchable encryption or maintain a separate encrypted index.
7 Additional resources
Multi-factor authentication:
- A Usability Study of Five Two-Factor Authentication Methods (2019 paper and slides)
- Yubico and Ponemon 2020 State of Password and Authentication Security Behaviors
- Expert Insights Multi-Factor Authentication (MFA) Statistics
Passkeys and whatnot:
- The Secret Double Octopus blog has detailed articles on MFA, passkeys, and more.
- WebAuthn & Passkeys: User ID, User Handle, User Name and Credential ID
Password research:
- LastPass 3rd Annual Global Password Security Report
- LastPass Psychology of Passwords 2022
- The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services, an analysis of password reuse and modification. (2108 paper)
- Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-strength, Minimum-length, and Blocklist Requirements, an interesting study of the use of block lists and minimum guess thresholds estimated by a neural network. (2020 paper)
- Of Passwords and People: Measuring the Effect of Password-Composition Policies, a somewhat old analysis of password entropy. (2011 paper)
- Password policies of most top websites fail to follow best practices. (2022 paper)
- SecLists, a collection of many different password lists and related texts for security assessment.
Security and data breach deep dives:
- Center for Internet Security Insights
- Microsoft Digital Defense Report 2024
- Verizon Data Breach Investigations Report
- Specops Breached Password Report
- OWASP Cheat SheetsTons of informatio on security topics such as authentication, credential stuffing prevention, password reset, and password storage.
- MITRE ATT&CK, a comprehensive list of adversary tactics and mitigations.
- OWASP Attacks, another comprehensive list of adversary tactics and mitigations.