Understanding Modern Password Security
A comprehensive guide to password security for both users and developers, covering modern threats and defenses.
DP
Daniel Petrov
2 min read·December 8, 2024
Understanding Modern Password Security
In 2024, password security is both simpler and more complex than ever. Here's what you need to know to protect yourself and your users.
The Current Threat Landscape
Common attack vectors:
- Credential stuffing: Using leaked passwords on other sites
- Phishing: Tricking users into revealing credentials
- Brute force: Automated guessing attacks
- Rainbow tables: Pre-computed hash lookups
- Social engineering: Manipulating humans
Password Best Practices
For Users
| Old Advice | New Advice |
|---|---|
| Complex passwords | Long passphrases |
| Change frequently | Change only if compromised |
| Remember them | Use a password manager |
| Security questions | Avoid or use fake answers |
Creating Strong Passwords
The math is simple:
Entropy = log2(character_set ^ length)
"Password1!" (10 chars, 95 possibilities)
Entropy ≈ 66 bits
Time to crack: Hours
"correct horse battery staple" (28 chars, 27 possibilities)
Entropy ≈ 132 bits
Time to crack: Millennia
For Developers
Hashing Algorithms
Never store plaintext passwords. Use:
- Argon2id: Current gold standard
- bcrypt: Widely supported, battle-tested
- scrypt: Good alternative
Avoid: MD5, SHA-1, SHA-256 alone (too fast!)
Implementation Example
import argon2 from 'argon2';
// Hashing
async function hashPassword(password) {
return await argon2.hash(password, {
type: argon2.argon2id,
memoryCost: 65536,
timeCost: 3,
parallelism: 4
});
}
// Verification
async function verifyPassword(password, hash) {
return await argon2.verify(hash, password);
}
Additional Security Measures
- Rate limiting: Slow down brute force attacks
- Account lockout: After N failed attempts
- Breach detection: Check against known leaked passwords
- MFA: Add a second factor
Multi-Factor Authentication
MFA types ranked by security:
- Hardware keys (YubiKey): Strongest
- Authenticator apps (TOTP): Strong
- Push notifications: Good
- SMS codes: Vulnerable to SIM swapping
The Future: Passkeys
Passkeys are replacing passwords:
- Phishing-resistant: Bound to specific domains
- No secrets to leak: Public key cryptography
- Cross-device: Synced securely
- User-friendly: Biometric authentication
How do you handle password security? Share your approach!
DP
Written by
Daniel Petrov
Security researcher and ethical hacker. Demystifying cybersecurity for developers and everyday users.
2,544 views
2
Share
Responses (2)
Finally an article that recommends Argon2id! So many guides still recommend bcrypt which, while not bad, is showing its age. The passkeys section is especially timely.
The entropy calculation is a great way to explain password strength to non-technical people. I use similar examples when doing security awareness training.