Password-based Authentication
A common authentication method where users present a secret password. It is widely used but requires secure storage, strong password policies and protections against common attacks.
Classification
- ComplexityMedium
- Impact areaTechnical
- Decision typeArchitectural
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Compromise of large user groups in data breaches.
- Brute-force and credential-stuffing attacks without protections.
- Weak implementation (e.g., insecure hashing) leads to easy exploitation.
- Use adaptive hashing (Argon2, bcrypt) with salt
- Support password managers and avoid unnecessary complexity
- Implement monitoring, alerting and regular penetration tests
I/O & resources
- User identifier (e.g., username or email)
- Password in input form
- Current password hash parameters and salt
- Authentication token or session
- Audit log entries
- Error codes and feedback to user
Description
Password-based authentication verifies user identity by matching a secret string provided at login against a stored verifier. It is simple and widely deployed but requires careful handling of storage, strength policies and recovery flows to mitigate compromise and usability trade-offs. Organizations must enforce length, hashing and monitoring policies.
✔Benefits
- Simplicity and wide support in applications and libraries.
- Low barrier to entry for users and developers.
- Direct control over authentication without external dependencies.
✖Limitations
- Passwords are vulnerable to theft and reuse.
- Requires secure storage and periodic hash algorithm updates.
- Usability suffers with overly strict policies or frequent changes.
Trade-offs
Metrics
- Number of successful/failed logins
Ratio of successful to failed attempts indicating abuse or user issues.
- Time to recovery after compromise
Time measured from incident detection to restoration of a secure state.
- Share of users with weak passwords
Percentage of accounts not meeting defined minimum requirements.
Examples & implementations
Classic web platform using bcrypt
Server stores bcrypt hashes, requires minimum length and offers optional 2FA.
Enterprise portal with SSO fallback
Password auth used as fallback while SSO is primary; strict password policies apply.
IoT devices with local password protection
Simple device password protection combined with hardware backups and regular firmware updates.
Implementation steps
Define requirements (length, rotation, recovery)
Choose and parameterize hashing algorithm (e.g., Argon2)
Add protections: rate limiting, 2FA, monitoring
Plan regular security reviews and migration strategies
⚠️ Technical debt & bottlenecks
Technical debt
- Old hashes in DB that need secure migration
- Insufficient monitoring and alerting for auth failures
- Missing documentation for password policies and exceptions
Known bottlenecks
Misuse examples
- Simple MD5 hashing without salt in a legacy DB
- Email reset token without expiry
- No limit on login attempts and no monitoring
Typical traps
- Forgetting to migrate hash parameters when switching algorithms
- Blind reliance on complexity rules instead of password managers
- Missing checks against known leaked passwords
Required skills
Architectural drivers
Constraints
- • Legal requirements for data retention and incident reporting
- • Performance limits with costly hashing functions
- • Dependence on secondary channels (email/OTP) for recovery