Security of passwords

Passwords are convenient

  • Low-cost to implement.
    • Don't require specific devices.
    • Are cheap to check on the server (low CPU usage).
  • Exact: there is only a single password which is correct.
  • Can be changed when compromised.

Passwords are strong, sometimes

On an individual level, users may choose to create complex unpredictable passwords, which they don't tell anyone about. If this is the case, a password is stronger than other authentication methods, which may be fooled by an attacker or forcibly obtained from a person (e.g. biometric data).

Passwords are weak at scale

Having one set of valid credentials may be all that is needed to gain access to restricted resources. In an organization, for example, many people will have access to the same resources which are restricted from the outside. A chain is only as strong as its weakest link. And for passwords, this is mostly the user:

  • People create passwords in a predictable manner. This means an attacker may be able to guess the password.
  • People write down their passwords (either digitally or with pen and paper). This allows an attacker to intercept it.
  • People tell other people their passwords. This means there is more surface area to intercept it.
Enterprise Configuration ionicJavaScript Promises Then/Catch order