02
16 min read · 5 briefings

Passwords, Passkeys & Authentication

How proof-of-identity actually works — and why the humble password is finally on its way out.

01 Entropy: What Actually Makes a Password Strong

Password strength is not about weird symbols. It is about entropy — a measure, in bits, of how unpredictable the password is. Each bit doubles the number of guesses an attacker must make. A password with 40 bits of entropy needs about a trillion guesses; one with 80 bits needs an unimaginable number more.

Entropy is driven far more by length than by character variety. Adding one random lowercase letter multiplies the guess space by 26; adding symbols only widens the alphabet a little. This is why a long passphrase like correct-horse-battery-staple beats a short, tortured P@ssw0rd! — and is easier to remember. The catch: length only helps if the password is random. A long password built from song lyrics or predictable substitutions has low real entropy because attackers model those patterns.

Pro tip Modern guidance from NIST (Special Publication 800-63B) flipped the old rules: prioritize length, allow all characters including spaces, screen new passwords against lists of known-breached ones, and stop forcing arbitrary periodic changes — those just push people toward predictable patterns like Summer2026!.

The practical takeaway: you cannot both memorize dozens of long random strings and reuse nothing. Something has to give — and it should not be uniqueness.

02 How Passwords Actually Get Cracked

Sites should never store your raw password. They store a hash — the output of a one-way function that is easy to compute forwards and infeasible to reverse. When you log in, the site hashes what you typed and compares. When a database leaks, attackers get hashes, not passwords, and the race to reverse them begins.

They have several tools:

  • Dictionary attacks hash entire wordlists of common and previously-leaked passwords and compare — fast and devastatingly effective against weak choices.
  • Brute force tries every combination. Feasible for short passwords; hopeless against long ones.
  • Rainbow tables are giant precomputed lookup tables of hash-to-password, trading disk space for speed.
  • Credential stuffing skips cracking entirely: it takes username/password pairs from one breach and replays them on other sites, betting you reused them.

Speed depends brutally on the hash. A commodity GPU can try billions of fast MD5 or NTLM hashes per second. That is why the algorithm matters: salting (adding a unique random value per password) kills rainbow tables outright, and deliberately slow, memory-hard hashes like bcrypt, scrypt, and Argon2id — the 2015 Password Hashing Competition winner — throttle guessing to a crawl.

Watch out Credential stuffing is why one reused password is a chain reaction. A leak at a forum you forgot about in 2015 can hand attackers your email, bank, and cloud storage today.

03 Password Managers: Stop Memorizing

The only sane way to have a long, unique, random password for every account is to not remember them. That is what a password manager is for. It generates and stores strong credentials in an encrypted vault, and you unlock the vault with one strong master password (and, ideally, a second factor).

The security model rests on that master password. Reputable managers — Bitwarden, 1Password, KeePass — use zero-knowledge or client-side encryption: your vault is encrypted and decrypted on your device with a key derived from your master password, so the provider stores only ciphertext and cannot read your data even if they are breached. Your master password is never sent to their servers.

The common objection — "isn't one vault a single point of failure?" — has a clear answer. Yes, the vault is valuable, so you protect it well: a long unique master password you use nowhere else, plus MFA. In exchange you eliminate reuse, defeat credential stuffing across every other account, and get autofill that quietly resists phishing (a manager will not offer to fill your bank password on a look-alike domain).

Insight A password manager does not just store secrets — it changes your behavior. Because generating a fresh 20-character random string costs you nothing, you stop rationing uniqueness. The friction that made people reuse passwords disappears.

04 MFA and Its Cracks

Multi-factor authentication (MFA) adds a second proof beyond your password — something you have or are, not just something you know. It is the single highest-value control most people can turn on. But not all factors are equal, and attackers have adapted to each.

FactorStrengthWeakness
SMS one-time codeBetter than nothingSIM-swapping and SS7 network flaws let attackers intercept codes
Authenticator app (TOTP)Good; works offlinePhishable — a fake site can relay the code in real time
Push approvalConvenientMFA fatigue: spam prompts until a tired user taps 'approve'
Hardware security keyStrongest; phishing-resistantCosts money; can be lost (keep a backup)

TOTP codes follow the open standard RFC 6238: your app and the server share a secret and both compute a code from the current time, rotating every 30 seconds. It is solid — but if you can be tricked into typing that code into a fake login page, the attacker simply forwards it. That is the crucial limitation nearly every non-hardware factor shares.

Watch out In 2022 an attacker breached Uber by bombarding an employee with push prompts, then messaging them on WhatsApp posing as IT support. The worn-down employee approved. MFA is not magic if you can be socially pressured into approving the attacker's own login.

05 Passkeys and the Passwordless Future

Passkeys are the endgame: authentication with no shared secret to steal, phish, or leak. They are built on the FIDO2 standards — the W3C's WebAuthn browser API plus the CTAP protocol to your device or security key.

The mechanism is public-key cryptography. When you create a passkey, your device generates a key pair. The public key goes to the website; the private key never leaves your device — it lives in secure hardware like a phone's secure enclave or a hardware key. To log in, the site sends a random challenge, your device signs it with the private key (unlocked by your fingerprint, face, or PIN), and the site verifies the signature with the public key.

This kills entire attack classes at once. There is no password to reuse, no code to intercept, and — critically — passkeys are origin-bound: the signature is cryptographically tied to the real domain, so a look-alike phishing site simply cannot elicit a valid one. Server breaches leak only public keys, which are useless to an attacker.

The best password is no password. The best second factor is one that physically cannot be handed to the wrong website.
Pro tip You can enable passkeys today on major accounts (Google, Apple, Microsoft, and many others) and they typically sync across your devices through your platform. Turn them on where offered — you keep your password as a fallback while gaining phishing resistance for daily logins.

Field Glossary

Entropy
A measure in bits of a password's unpredictability. Each additional bit doubles the number of guesses needed to crack it.
Hash
The output of a one-way function used to store passwords. Easy to compute forward, infeasible to reverse.
Salt
A unique random value added to each password before hashing, which defeats precomputed rainbow tables and forces attackers to crack each hash individually.
Credential stuffing
Replaying username/password pairs stolen from one breach against other sites, exploiting password reuse.
Rainbow table
A large precomputed table mapping hashes back to passwords, trading storage for cracking speed. Neutralized by salting.
TOTP
Time-based One-Time Password (RFC 6238): a rotating code computed from a shared secret and the current time, used by authenticator apps.
Passkey (FIDO2/WebAuthn)
A passwordless credential using public-key cryptography, where the private key stays on your device and logins are cryptographically bound to the real site, making them phishing-resistant.

Knowledge Check

Field Assessment

0 / 3

01 What has the biggest impact on a password's resistance to brute-force cracking?

02 Why does adding a unique salt to each password before hashing matter?

03 What makes passkeys resistant to phishing in a way that TOTP codes are not?

ESC
↑↓ navigate jack in