Skip to content
Lesson 4 of 8

Passwords and Authentication

4 min read

Authentication, Authorization, and Identity

Before talking about passwords, it helps to distinguish three concepts. Authentication answers the question "who are you?": the process of verifying a user's identity. Authorization answers "what can you do?": the permissions granted once the identity is verified. Identity management covers the entire lifecycle of accounts: creating, modifying, and removing access.

Authentication relies on one or more factors: something you know (a password), something you have (a phone or a physical key), and something you are (a fingerprint or facial recognition). The strength of an authentication system depends on how many independent factors it combines and on the quality of each one.

Understanding this distinction is key: a strong password protects authentication, but without well-designed authorization, a compromised account could access far more than necessary. That is why the principle of least privilege, which we will see at the end of the course, complements authentication.

What Makes a Password Strong

For years, rigid rules —uppercase, numbers, symbols— were promoted that in practice produced passwords hard for humans to remember but easy for a machine to guess. Modern research, reflected in guidelines such as those from NIST, prioritizes length over artificial complexity. A long passphrase like correct-horse-battery-staple resists an attack better than P@ssw0rd!.

Attackers do not guess passwords one by one: they use dictionary attacks that try common words, brute force that runs through combinations, and above all credential stuffing, which reuses passwords leaked in other breaches. That is why reusing the same password across multiple services is one of the most dangerous habits.

Current recommendations are clear: long, unique passwords for each service, avoiding predictable personal information, and not forcing periodic changes without reason (which tends to worsen users' choices). Checking whether a credential appeared in a known breach also helps you react in time.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) requires two or more independent factors, so stealing the password is not enough to gain access. It is, by far, one of the most effective and cost-efficient measures in all of cybersecurity: it blocks the vast majority of automated attacks against accounts.

Not all second factors are equal. SMS codes are better than nothing, but vulnerable to SIM swapping. Authenticator apps that generate time-based codes (TOTP), such as those based on the Google Authenticator standard or Authy, are more secure. At the top are physical keys based on FIDO2/WebAuthn (for example YubiKey), resistant even to phishing because they cryptographically verify the website.

Enabling MFA on email, banking, and critical service accounts should be an absolute priority. Email, in particular, is often the master key: if an attacker controls it, they can reset the passwords of almost everything else.

Password Managers

It is humanly impossible to remember dozens of long, unique passwords. The solution is not to reuse them, but to use a password manager: an application that generates, stores, and fills in strong passwords, all protected by a single master password and, ideally, by MFA.

Tools like Bitwarden, 1Password, or KeePass encrypt your credential vault with strong algorithms, so that only you can decrypt it. Beyond convenience, they add security: each service gets a different, random password, and many managers alert you if one of your credentials appeared in a breach.

The only critical point is the master password, which must be long, unique, and memorable, and never shared. Combined with MFA, this architecture offers an excellent balance between security and usability.

The Future: Passkeys and Passwordless Authentication

The industry is moving toward a passwordless world. Passkeys, based on the FIDO2/WebAuthn standard, replace the password with a pair of cryptographic keys: a private one that never leaves your device and a public one held by the server. When signing in, your device proves it possesses the private key without transmitting any reusable secret.

This approach eliminates credential phishing and password breaches at the root, because there is no password to steal. Although the transition will take time, understanding these mechanisms prepares you for the authentication model that is becoming the standard. In the next lesson we will look at the cryptography that makes all this protection possible.