Password
A password is a secret string of characters presented to an authentication system as proof of identity to grant or deny access to a protected resource, representing the most widely deployed form of single-factor authentication.
What Is a Password?
A password is a secret string of characters that a user presents to an authentication system as proof of identity, allowing the system to grant or deny access to a protected resource. Passwords represent the most widely deployed form of single-factor authentication, relying on the premise that only the legitimate user knows the string. The mechanism dates to time-sharing computer systems of the 1960s and remains foundational to digital security despite decades of effort to supplement or replace it with stronger authenticator types.
Passwords operate within a broader authentication framework defined by what a user knows, what a user has, and what a user is. A password occupies the "something you know" category, which makes it vulnerable to disclosure through guessing, phishing, or database breach, but also makes it deployable without any specialized hardware. The tension between usability and security in password design is a persistent theme in both research and operational practice.
Password Composition and Strength
Password strength is a function of the size of the search space an attacker must explore to guess the credential. Longer passwords generally provide more entropy than short passwords with complex character requirements, a finding that has shifted contemporary guidance away from mandatory special-character rules and toward minimum length thresholds. The NIST Special Publication 800-63B recommends passwords of at least eight characters, with verifiers encouraged to accept strings up to 64 characters. The same publication advises that systems check submitted passwords against lists of known compromised credentials, common dictionary words, and repetitive patterns, blocking these choices regardless of their apparent complexity. This approach recognizes that character composition rules often produce predictable patterns, such as substituting "3" for "e," that sophisticated attackers have already encoded in attack dictionaries.
Storage and Cryptographic Hashing
Storing passwords in plaintext is a disqualifying security failure. Modern systems store a cryptographic hash of the password combined with a per-user random value called a salt. When a user authenticates, the system hashes the submitted string with the stored salt and compares the result to the stored hash. The salt ensures that two users with identical passwords produce different stored values, frustrating precomputation attacks such as rainbow tables. The choice of hash function matters: fast functions like MD5 and SHA-1 are unsuitable because an attacker who obtains the hash database can test billions of candidates per second on consumer hardware. Adaptive functions such as bcrypt, scrypt, and Argon2 are specifically designed to be computationally expensive, scaling with a configurable work factor to remain resistant as hardware speeds increase. Argon2 won the Password Hashing Competition in 2015 and is the recommended algorithm in many contemporary security frameworks.
Authentication Policies and Lifecycle
Password lifecycle policies govern how credentials are created, rotated, and retired. Mandatory periodic expiration, once a standard enterprise control, has been broadly reconsidered: forced rotation often produces predictable incremental changes and encourages credential reuse, outcomes that reduce rather than increase security. Current guidance from NIST and other bodies recommends changing passwords primarily when there is evidence of compromise, such as when a user's email address appears in a breach notification service. Organizations are also advised to implement account lockout or rate-limiting to slow online guessing attacks and to log authentication failures for anomaly detection. Combining passwords with a second authenticator factor, such as a one-time code generated by an authenticator application, substantially reduces the impact of password theft. The NIST Cybersecurity guidance on passwords outlines these principles for general audiences.
Applications
Passwords have applications in a wide range of disciplines, including:
- User authentication for web applications and cloud services
- Operating system login and workstation access control
- Encrypted storage and file-level data protection
- Network device administration and infrastructure security
- Database access control and API key management