Login Security FAQ

This frequently asked questions list is a companion to Login Security Demystified, which has more detailed information. Some information is repeated here, but you may have specific questions that are easier to find in this list. For more details, follow the links.

Let Jim know if you have a question that’s not answered.

What makes Login Security Demystified better than hundreds of other websites on the topic?

In Jim’s not-so-humble opinion, it’s more accurate, more comprehensive at a general level, and easier to understand, with just the right amount of technical detail. Copious references and sources are provided. If you think something is wrong, missing, or too hard to understand, let Jim know.

Why is password strength important if my account is locked after too many tries?

Most websites and apps limit the number of login attempts. However, hundreds of databases containing hundreds of millions of passwords have been stolen. Once an attacker has the data, they can make trillions of guesses to get your password (see 5.2). The best way to be safe is to have a strong password. Also, an attacker who has your stolen email/username, and perhaps your password, can try to log in as you on multiple services (see 5.1). This is why it’s important to limit password re-use.

How do I make a strong password?

A secure password is long, unpredictable, unique, and not compromised. Many guidelines about making good passwords are wrong or have useless advice. See 3.1 for the only three guidelines you need. However, keep in mind that the strongest password does no good if stolen by malware or phishing, so learn how to protect yourself from these attacks.

How can I test the security of my password?

  1. Count the characters. A longer password is a stronger password.
  2. Check if it has been compromised, such as at Have I Been Pwned or Weakpass.
  3. Don’t bother with a password strength meter. None of them give a true representation of password security (see Complexity, predictability, and strength).

Should I use a password manager?

Password managers are a great way to generate secure passwords that you don’t have to remember. If you’ve ever said yes to the “Save password” prompt in your browser, you’re already using its built-in password manager. Other password managers are available with handy features. See 4.1 for more.

Should I make one, super-strong password to use with all my accounts?

Ooh, bad idea. One of the main rules of password security is to never use the same password, at least not for important accounts. Unless you use a password manager, in which case you only need a single, strong password (and a second factor) to protect all your other passwords.

I know I’m supposed to make every password different, but how can I remember them all?

For less important accounts it’s not that important to avoid reusing passwords. But for important accounts related to money or sensitive personal information you should never use the same password. It’s ok to write down passwords in a safe place if it helps you remember them. You can use password manager, which will remember them all for you.

Are longer passwords more secure?

A longer password is a stronger password. As long as it’s not a known password; i.e., you haven’t already used it at a service from which it was stolen and cracked. Your passwords for important accounts should be at least 12 characters long, preferably more.

Why is a more complex password more secure?

It depends on what you mean by “complex.” What some people think is complex —like “p@$$word!”— is a predictable human pattern. Secure passwords are long and unpredictable. See section 2 for more.

What is a passphrase? Is it more secure than a traditional password?

A passphrase is a sequence of memorable words used instead of a password. Passphrases take longer to type, but they are usually much stronger than most passwords because they are longer.

Which is more secure, a passphrase or a random password with the same number of characters?

They’re about the same. You could, for example, use the passphrase “fish/clean/ticklish/toes” which has 24 characters, or you could use the password “8JD@JYbTmt*mVBC~N6yCn5ES” which also has 24 characters. Some people will dive into entropy and argue that each word in the passphrase is equivalent to a character in the random string, therefore the passphrase is weaker (has less entropy). But it can also be argued that the probability of a character is 1/95, whereas the probability of a word is anywhere from 1/8,000 for a short word list to 1/40,000 for English vocabulary, therefore the passphrase is stronger (has more entropy), especially considering the prescient attacker fallacy (i.e., the attacker is unlikely to know you used a passphrase, how long it is, and what characters you put between words). This illustrates how entropy is a bad measure of password strength (see Complexity, predictability, and strength.)

As always, it comes down to length. If a passphrase is longer, it’s stronger, with the bonus of it being easier to remember.

Is it bad to write down passwords?

It’s fine to write down passwords to help you remember them, especially if this means you’ll make longer, strong passwords. Or use a password manager, which will securely store them and enter them for you.

Should I change my passwords regularly?

No. This outdated advice was never sensible in the first place. The average person now has over 150 online accounts Regularly changing all those passwords would make them harder to remember and would waste your time. It’s simpler and faster to sign up at Have I Been Pwned and only change a password if it has been compromised in a data breach .

What is a character or a character set?

A character is a letter, number, punctuation mark, or other symbol that you can enter or display on a computer. A character set is a specific group of symbols such as lowercase letters, uppercase letters, numbers, and other symbols. Anything not a letter or number is often called a special character. The term character set may also refer to the limited set of characters that a service’s password policy allows.

Is a password with numbers more secure than one with just letters?

No. Over two thirds of passwords include a number, so someone trying to crack your password will include numbers. Special symbols are less common, but it’s more important to have a long password than to add numbers, capital letters, or symbols.

Does adding special characters make my password more secure?

Adding special characters to your password is your choice, and it might make the password a teensy bit stronger, depending on the symbol and where you put it (see Complexity, predictability, and strength and Password patterns). But it’s much more important to have a long password than to add symbols, especially if you add them in predictable ways.

Can I add emojis to make my password more secure?

It depends on the password policy of the website or app. Many services won't let you include emojis. Others, especially in countries that don’t use the Roman alphabet, allow many Unicode characters. Using obscure characters such as emojis will make your password a little stronger, but not as strong as just making it a few normal characters longer. Keep in mind that if you log in from multiple devices, especially something like a smart TV, you may not be able to enter an emoji. Of course there’s a certain satisfaction from using 💩 at sites you don’t like but have to use.

Should all passwords have at least one capital letter, lowercase letter, number, and special symbol?

No. This is a myth about password security. A short password with all four character types is much weaker than a long password, regardless of what characters are in it.

Why do websites make me add numbers and special symbols to my password?

Because the software developers are clueless sheep. Password policies are a misguided attempt to make you create better passwords, but they don’t work, and they make password security worse, not better. See section 2 for more.

Hey, I’m a software dev, and our website has a strong password policy. Who are you calling a clueless sheep?

Let’s explore this with a little game. You pick a number from 1 to 100 and I'll guess it. But hold on, I know about studies that show how people pick 37, 69, 7, and 77 most often, and they prefer prime numbers. So only pick even numbers to make the game harder for me. Hmmm. That reduced your possible guesses from 100 to 50, making it easier for me to guess your number, not harder. Oops! Forcing users to follow rules when making passwords falls into the same trap. (See Password patterns and Guidelines for developers.)

Is AAAAAAAAAAAAAAAAAA a strong password?

It’s 18 characters long, which would make it strong, but it’s on a list of exposed passwords, so it should not be used. ABABABABABABABABAB is also 18 characters long, and it’s not (yet) on a breached password list, so it’s quite strong. Password attackers typically give up on passwords longer than 10 or 12 characters if they’re not on a known password list, so even a repeated pattern like AB…AB can make a strong password. That said, it’s still best to avoid patterns.

If a short, four-digit PIN is a terribly weak password, why are PINs used?

A PIN (personal identification number) is almost always part of multi-factor authentication. The PIN is one factor associated with a second physical factor such as a debit card, a specific computer, or a specific phone, so even if the PIN is known, it’s unlikely to work anywhere else. In the case of a phone or computer, the PIN is securely stored on the device, where it’s almost impossible to steal, unlike a password that can be stolen, cracked, and entered from anywhere. In the unlikely event that your physical device is stolen, it will take on average 5,000 tries to guess a four-digit PIN (unless you use common PIN patterns).

What is passwordless or password-free authentication?

Logging in without entering a password. Passwordless often refers to passkeys, which are a significant improvement over passwords and use secure identification steps such as fingerprint or facial recognition. These terms may also refer to any authentication method that doesn’t use a password.

Is signing in with my phone more secure than typing a password?

Signing in with a passkey on your phone is much more secure than using a password. Many services don’t use passkeys but do give you the option of receiving a text message on your phone as a second factor along with your password. Although text message authentication has some weaknesses, it’s much more secure than a password alone.

Is a fingerprint or facial recognition more secure than a password?

A biometric is almost always more secure, since it’s information that can’t be stolen or guessed. And it’s associated with a specific device, so it won’t work on other devices, whereas if someone knows your password they can log in from anywhere, on any device. It’s possible to fool fingerprint readers or cameras, but it’s difficult.

What is MFA or 2FA?

MFA stands for multi-factor authentication, where you use than one factor to log in, such as a password plus a one-time code. 2FA means two-factor authentication.

Is two-factor authentication more secure than a simple password?

Yes. If someone has stolen or guessed your password, they are very unlikely have access to the second factor to log in to your account.

Is a “magic link” better than a password?

Some services send you a link via email or text and instruct you to tap or click the link to log in. The marketing departments like to call this a “magic link.” If the link is used in addition to a password, it’s quite secure. (It's a second factor.) If the link is used instead of a password, it’s a bit less secure but still better than a password alone, primarily because the link usually expires after a short time, so even if someone has access to your email, older links won’t work. However, “better” also applies to the user experience, which can be dismal if you have to wait for the email, perhaps not get the email, and so on. See 4.4 for more.

What if I receive a login code in an email or text message but I wasn’t trying to log in?

It usually means someone is trying to break into your account, but without the code they can’t. Don’t share the code with anyone. There’s no need for any other action, but if you get repeated messages you might want to double check your account and make sure you have a strong password. Attackers use techniques called credential stuffing and password spraying where they attempt to break into thousands or millions of accounts online, which can generate login verification messages, especially if you’re using multi-factor authentication.

What are biometrics?

Biometrics are a way of measuring a person’s unique physical and behavioral characteristics. Biometrics such as fingerprint and face scan are used to verify that a person unlocking a device is authorized.

What does “use token” mean when I’m logging in?

A token is a hardware security key that either displays a one-time password (OTP) or connects to your device to provide a secure encryption key for logging in. This phrase might also (inaccurately) refer to a software authenticator.

What is an OTP?

A one-time password (OTP) is a login code that is only valid for a short time. It may be sent to you via text or email, or displayed by a software authenticator or hardware security key.

How can a browser import all my stored passwords from a different browser? Isn’t that a security risk?

Browers have built-in password managers that can store your passwords. The browser encrypts the passwords and requires device-specific authentication to access them. The second browser has to be on the same device and you have to enter a PIN or password to allow the import. The only way your passwords can be stolen from your browser is if someone has your device and knows the PIN or password you use to unlock the device (assuming you don’t use fingerprint or face recognition to unlock). Contrary to sensational posts on the Internet, browser extensions can’t access passwords, although a malicious extension or other malware could siphon off passwords when the browser autofills a login screen, but this is no different than it being stolen as you type it in.

What is a key or encryption key?

An encryption key is a long, computer-generated number used to encrypt (cryptographically hide) or decrypt data. Once the data is encrypted, it’s impossible to read without the key. Encryption keys are unique and difficult to guess. The longer the key, the harder it is to guess. Keys are often kept secret, or there may be a public key paired with a private key. Modern replacements for passwords such as passkeys use encryption keys.

What is a public/private key or a key pair?

A set of two keys that work together, where the private key is kept secret and the public key can be shared in the open (see Public/private keys).

What is asymmetric cryptography?

An encoding mechanism where one encryption key is used to encode, but a different key is required to decode. Asymmetric encryption is the basis for public/private keys (see Public/private keys).

Won’t quantum computing make all this obsolete and useless?

Yes and no. Quantum computers are just over the horizon, and they can do in seconds what it would take years to do with a traditional computer, especially math calculations such as those used in cryptography. This means hashes and public/private keys that are essentially unbreakable today could become vulnerable in the future. “Quantum-proof” encryption techniques have been developed, allowing key-based systems such as passkeys to be updated in the future and remain secure.

What is a fallback mechanism?

A secondary means of logging in when the primary method fails (you forget your password or passphrase, you lose your passkey or the device holding your passkey, your software authenticator or hardware security key is unavailable, and so on). The most common fallback mechanisms are email and text messages, although almost any authentication factor can be used.

What is a service or service provider?

An organization that provides a service, such as a bank, an email service, a social media network, shopping, streaming, and so on. In more technical terms, a service provider may refer to the software that an organization uses to communicate with a client such as a browser or an app that serves as the intermediary to the user.

What does SSO mean?

SSO stands for single sign-on, which allows you to use one username and password to log into multiple services within an organization.

What is a data breach?

One or more computer files, usually containing usernames, scrambled passwords, and other personal or sensitive information, that has been stolen from a service. To “breach” means to make a gap or to break in. The term data breach refers to both the event itself and the data stolen during the breach.

What is PhaaS?

Phishing as a service. Phishing is becoming increasingly sophisticated as a few skilled programmers make "phishing kits" available to anyone who pays a subscription fee. PhaaS accounts for hundreds of millions of phishing messages each month.

What is a botnet?

A set of computers or other Internet-connected devices (even WiFi routers, thermostats, kitchen appliances, and other Internet of things devices) that have been infected with malware to be remotely controlled by an attacker. Botnets are often used for online password guessing. Botnet is a portmanteau of “robot” and “network.”

What’s the dark web?

Dark web refers to hidden sites or applications on the Internet that don’t appear in searches and can only be accessed by special software such as a private browser or VPN (virtual private network). The dark web is used by people trafficking in stolen data, drugs, illicit trade, and illegal activities. Data breach files are often sold or traded on the dark web.

What does zero trust mean?

Zero trust is a security model that assumes no one and nothing is trustworthy until authenticated, and that they must be continuously verified. It improves security by removing implicit trust and by not assuming that anyone within a network or a system is trustable.