Passwords

What Are Passwords?

Passwords are shared secrets, typically sequences of characters, that users present to authentication systems to verify their claimed identity and gain access to protected resources. As the predominant "something you know" authenticator, passwords underpin login flows across operating systems, web services, network devices, and enterprise applications. Their ubiquity stems from simplicity of deployment: no specialized hardware is required on either side, and the protocol reduces to comparing a submitted value against a stored credential. Despite this simplicity, passwords as a system carry substantial security risk when poorly chosen, improperly stored, or managed without supporting controls.

The relationship between passwords and broader authentication frameworks has received considerable formal treatment. NIST Special Publication 800-63B, the federal digital identity guideline that also governs many commercial deployments, defines three Authenticator Assurance Levels (AALs) and positions passwords as a single-factor credential meeting AAL1, with stronger assurance levels requiring additional authenticator types.

Password Strength and Entropy

The security value of a password is proportional to the entropy an attacker must overcome when mounting a guessing attack. Entropy depends on both the length of the password and the size of the character set drawn upon, but user behavior reduces effective entropy below the theoretical maximum. Dictionaries of commonly chosen passwords, breach corpora containing hundreds of millions of real credentials, and probabilistic models trained on leaked datasets allow sophisticated attackers to test high-probability guesses first, dramatically reducing average crack times. Systems that enforce minimum lengths of fifteen characters or more, permit passphrases composed of multiple ordinary words, and screen submissions against known-compromised password lists achieve measurably better outcomes than systems relying on complexity rules alone. The NIST Cybersecurity resource on creating strong passwords distills these findings into practical guidance.

Secure Storage and Hashing Mechanisms

Even a strong password provides no protection if the verifier stores it in a form that exposes credentials when the backing database is compromised. The standard remedy is to store only a salted cryptographic hash: a random per-user salt is concatenated with the password before hashing, ensuring that identical passwords produce distinct stored values and preventing precomputed lookup attacks. The hash function itself must be designed for password use, not general-purpose data integrity. Functions from the bcrypt, scrypt, and Argon2 families impose configurable computational cost on each hash evaluation, making offline brute-force attacks expensive at current hardware speeds. Argon2, the winner of the Password Hashing Competition in 2015, additionally allows memory-hardness tuning that penalizes GPU- and ASIC-based cracking rigs. Proper key stretching combined with organizational controls on database access limits constitutes the minimum acceptable storage posture for any system handling real user credentials. Further guidance appears in NIST SP 800-63B's memorized secret section.

Multi-Factor Authentication Integration

The primary architectural response to the inherent weaknesses of passwords is to pair them with a second or third authenticator factor. Multi-factor authentication (MFA) combines something the user knows (the password) with something the user has (a one-time passcode generator, hardware security key, or push notification to a registered device) or something the user is (a biometric). When MFA is active, a stolen password alone is insufficient for an attacker to authenticate unless the second factor is also compromised, substantially raising the cost of account takeover. Time-based one-time passwords (TOTP) defined in RFC 6238 and hardware authenticators conforming to the FIDO2 standard are both widely deployed second factors that pair well with password-based primary authentication.

Applications

Passwords have applications in a wide range of disciplines, including:

  • Web application and cloud service user authentication
  • Operating system login and workstation access management
  • Enterprise identity management and single sign-on systems
  • Encrypted disk and file-level data protection
  • Network device and critical infrastructure administration

Related Topics

Loading…