Passwords

Passwords are the most common method of authentication, acting as a secret key to verify a user's identity. However, they are often the weakest link in the security chain. A strong password is one that is difficult for a human or a computer to guess. Key characteristics include length (at least 12-16 characters), complexity (a mix of uppercase letters, lowercase letters, numbers, and symbols), and uniqueness (not reused across different services). Users should avoid easily guessable information like birthdays, names, or common words. From the system's perspective, storing passwords securely is paramount. Passwords should never be stored in plaintext. As discussed in the cryptography chapter, they must be hashed. But simple hashing isn't enough. An attacker with a rainbow table (a precomputed table of hashes for common passwords) could reverse-lookup the hashes. To prevent this, a technique called 'salting' is used. A salt is a unique, random string of characters that is added to each user's password before it is hashed. This salt is then stored alongside the hashed password. Since every user has a different salt, two users with the same password will have different hashes, making rainbow table attacks ineffective. For even stronger security, modern systems use slow, adaptive hashing algorithms like bcrypt, scrypt, or Argon2, which are computationally intensive and make brute-force attacks much more time-consuming and expensive for an attacker. Password managers are also a crucial tool for users, enabling them to generate and store long, complex, unique passwords for every service without having to memorize them.