Basics
Terms
- Identity: unique characteristics of an individual.
- Authentication: who is this ?
- Authorization: what are they allowed to do ?
- Non-repudiation: can it be proved/audited that a person did an action ?
- Privacy: who can see what this person does ?
- Security: are these answers/attributes maintained over time ?
Authentication Scenarios
- Local: local user to local machine or application.
- Client to Application Server: local user/app to an application/web server.
- Application Server to Authentication/Authorization Server: back-end server-to-server communication.
- Single Sign-On: local user/app to authentication/authorization server to multiple application/web servers.
Ways to access or attack an account (attack surface)
Access:
- Normal login (maybe password, maybe with 2FA)
- Password reset
- Account recovery
- Persuading Customer Support (social engineering)
- Phishing (to get credentials)
- Denial of service (report account as violating TOS, trigger "suspended because too many bad login attempts",
flood account with messages or comments or confirmations)
- Impersonation (look-alike account or domain)
- Cause misuse (get user to click on a link that does something in the account, provoke user into violating TOS,
get user to join group that gets banned)
Password security
Use the password and security features of your device and software; many people don't even bother to set a password !
It's especially important on smartphones, because a lot of smartphone apps don't even have a "log out" feature. They assume that if you have the phone and were able to log in once, a while ago, you must be the account owner, no account password needed.
But some passwords are fairly easy to bypass; don't expect them to protect you from every threat:
Computer Hope's "How to clear an unknown BIOS or CMOS password"
Mark Wilson's "How to crack Windows and OS X passwords"
Hack Cave's "Hack Windows 10 Login Password In 2 Minutes [Works For All Windows Versions]"
Hack Cave's "Hacking/Bypassing Android Password/Pattern/Face/PIN"
Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable.

Qualities of a good password
[From most important to less important:]
- Unique (not used anywhere else, doesn't appear in any breaches).
- Long (at least 16 chars, probably).
- Complex (not just lowercase and numbers).
Good things along with the password
- Unique username for each site (not just the same email address everywhere).
- Two-factor authentication (on important accounts).
Really, you should have only 2 or 3 passwords you remember; the rest should be in a password manager. And in general, length is more important than complexity (but having both is even better).
When to change a password
- If the service has a data breach.
- If you realize the password is weaker than it should be for that kind of account.
- If you realize you've used the same password on other sites.
- If you've shared the credentials with someone else or some other service, and want to stop their access.
If a password you're sure is correct stops working, maybe your keyboard is in a mode such as caps-lock or function-lock, or maybe a key has failed. Test it by typing the password into a document or some visible field.
Another form of password is an SSH key. Advantage: it's very long and random. Disadvantage: few connection types support it, usually just command-line text login connections, or network operations such as a git commit or VPN login.
"Password inertia": I'm discouraged from changing some passwords because I'd have to update them in multiple places. For example, an email password would have to be updated in the email site, my password manager, my desktop email client, and my phone email client.
Password Manager
AKA a "password vault".
For best security, I recommend a local-only password manager application, not storing data in the cloud, and with no browser extension or browser integration. I use the KeePass family of applications.
If you want more convenience, or need to support non-techie users, or need to share among several devices and/or people, probably use Bitwarden.
On Linux, consider running the password manager either in a container (snap or flatpak) or in a security context (Firejail or AppArmor).
Reasons to use a password manager
- Avoids forgetting passwords and other info.
- Avoids writing down passwords on Post-It's and other insecure places.
- Makes it easy to use a different password for every web site.
- Makes it easy to use long random passwords.
- Makes it easy to use two-factor authentication such as software-TOTP.
- Makes it easy to see/report duplicate passwords.
- Makes it easy to see/report accounts that don't use 2FA.
- Makes it easy to look at list of accounts and delete ones you don't want any more.
- Makes it easy to group and share info across multiple family members.
- Some will check for your info appearing in data breach lists.
- Great place to store other important info such as photo of passport ID page,
info for reporting lost credit card, etc.
Some passwords they can't apply automatically: your PC's BIOS and OS login info, encrypted boot drive's password, game-console password, phone password, ATM and credit-card PINs. You can store those passwords in the password manager, but not drag/copypaste them out to apply them. [Except see InputStick, which lets a password manager on your phone drive a keyboard on your computer.]
A quirk: every now and then, I find I have to type a password manually. Maybe I'm reading it out of the password manager in my laptop, and typing it into someone's phone. In that case, having a long password that mixes lots of letters and numbers and special characters is a real pain. And having similar-looking characters such as "1" and "l" and "0" and "O" is a pain. So I try to avoid generating passwords with that last problem. Some managers have a setting to control this. Maybe also group the types of characters together inside the password: start with N uppercase letters, then M lowercase letters, then P special characters.
Arguments against password managers
Types of password managers
Features to consider
Don't use your OS's "keyring" features: it's not cross-platform, maybe not shareable across multiple machines, may be hard to back up and restore, probably has a primitive UI. Use a dedicated password manager application.
Wikipedia's "Password manager"
Slant's "What are the best offline password managers?"
Alan Henry's "Five Best Password Managers"
Hannah Stryker's "The Best Password Managers of 2023"
Some free password managers
I don't use any 2FA on the login to my password manager, just a password. I don't want any accident (loss of phone, loss of hardware token) to lock me out of my password database.
I don't want a password manager tied to a cloud account. I don't want any accident (account locked) to lock me out of my password database.
I don't want a manager with a browser add-on that watches every web page I load; that increases the attack surface of both apps. And an offline manager is more secure.
Tavis Ormandy's "Password Managers"
[But having a browser add-on gives one great feature: it can check that you're putting the creds into only the site that they belong to.]
Ctrl blog's "Why KeePass instead of self-hosting Bitwarden"
I chose KeePass.
Android
My organization inside the password manager
Don't let Windows store passwords and apply them automatically. If someone cracked your Windows password, they would get automatic access to those things. I set my backup application to not "remember" me, so I have to log in to it manually every time I run it. If you have an encrypted external hard disk, don't let Windows hold the password and apply it automatically (auto-unlock); you should type it in manually each time you plug in the disk drive.
Don't let your browser store passwords and apply them automatically. The quality of their security is unclear, and that method works only inside that browser. Not sure how backup and restore would work. Much better to use a dedicated password manager application.
Passwords, from article by Jacob Bernstein in The New York Times, June 24 2012:
New feature idea: handle name+address info, credit-card info, bank-acct info
New feature idea: handle hierarchical info
What is a password generator ?
There's no perfect solution
KeePass
I chose
- On Linux, KeePassXC 2.x.
- On Windows, KeePass 2.x.
- On Android, Keepass2Android Offline.
General choices and use
On Linux
Several ways to do auto-type
- Auto-type [I use this]:
- In KeePassXC, find entry for the site you want.
- Ctrl+shift+U to switch to browser and tell it to open that site.
- Alt+tab to switch back to KeePassXC.
- Ctrl+shift+V to switch to browser and auto-type username and password and Enter.
- Get web page that asks for TOTP.
- Alt+tab to switch back to KeePassXC.
- Ctrl+T to put TOTP in clipboard and switch to browser.
- Ctrl+V or similar to paste TOTP into web page field.
- Enter or click button on web page to complete login.
- Global auto-type (with bookmarks in browser):
- In browser, Alt+B and select bookmark for the site you want.
- Web page opens.
- Ctrl+shift+A to start global auto-type.
- See small KeePass window telling you which entries match the current web page.
- Click an entry in the window.
- See KeePass auto-type username and password and Enter.
- Get web page that asks for TOTP.
- Alt+tab to switch back to KeePassXC.
- Ctrl+T to put TOTP in clipboard and switch to browser.
- Ctrl+V or similar to paste TOTP into web page field.
- Enter or click button on web page to complete login.
- Global auto-type (with bookmarks only in KeePass):
- In KeePassXC, find entry for the site you want.
- Ctrl+shift+U to switch to browser and tell it to open that site.
- Ctrl+shift+A to start global auto-type.
- See small KeePass window telling you which entries match the current web page.
- Click an entry in the window.
- See KeePass auto-type username and password and Enter.
- Get web page that asks for TOTP.
- Alt+tab to switch back to KeePassXC.
- Ctrl+T to put TOTP in clipboard and switch to browser.
- Ctrl+V or similar to paste TOTP into web page field.
- Enter or click button on web page to complete login.
In KeePassXC, you can see which passwords are being used in multiple accounts by going to the main table view of accounts, right-clicking on "Password" column header and un-checking "Hide Passwords", and then sorting by "Password" column.
Someone says their KeePassXC started behaving a bit erratically when they put some large documents into the database and it got near 50 MB in size. Sizes below 20 MB at least work fine.
KeePassXC
Keyboard Shortcuts
Bug reports: keepassxreboot / keepassxc
securityguideme's "KeePassXC Advanced Usage // 8 features you might have not heard about" (video)
KeePassXC can supply SSH keys to an SSH agent
KeePassXC as 'secret service' to give password to app or service over D-Bus
KeePassXC run on the CLI
Other URL protocols
On Windows
On Android
KeePassXC as a 'Bookmark Manager'
Abhishek Prakash's "Soon You'll be Able to Convert Any Website into Desktop Application in Linux Mint"
Divine Okoi's "Web App Manager - Convert Any Website into an App"
Where are they stored ? How do you back them up, or copy to a fresh install ?
Hardware 2FA: must use same key to open database and to save database. Can't switch in middle of session.
Almost Secure's "Documenting KeePass KDBX4 file format"
Site verifying itself to the user
To prevent phishing, a site should identify itself to the user. But very few sites do this today, maybe because it complicates login a little.
I have one bank that does this:
- Site prompts for username, user gives it, site verifies it.
- Site displays an image associated with the account (stored on server).
- User looks at the image and verifies it's valid for this account.
- Site prompts for password, user gives user gives it, site verifies it.
- Site and user do 2FA.
A phrase could be used instead of an image.
If usernames are public or easy to guess, the display-image step could be moved to be after the password is verified. If it's a phishing attempt, the user has given away the password, but would be saved by 2FA. And if the user realizes no valid image has been displayed, the user knows they just got phished, time to change the password.
The current equivalent is that the user has to check the domain shown in the address bar, and verify that it is the correct domain. But that can be easy to skip, or hard to do or confusing, or can be faked in a few ways.
TOTP (Time-based One-Time Password)
[In this section I include codes sent to you through email or SMS or voice call, as well as codes you generate yourself from an app such as Google Authenticator or a hardware token.]
These kinds of codes almost always are used as a second factor, not a primary/sole password.
Scams still are possible
SMS is evil ?
Need US phone number while living outside USA
Hardware Tokens
These kinds of devices could be used as the sole means of identification (replacing username and password), or as a second factor.
From PrivSec's "Multi-factor Authentication":
U2F and FIDO2 refer to the Client to Authenticator Protocol, which is the protocol between the security key and the computer, such as a laptop or phone. It complements WebAuthn, which is the component used to authenticate with the website (the "Relying Party") you're trying to log in on.
FIDO, FIDO2, U2F
WebAuthn
Passkey
OAuth
Virag Mody's "How OIDC Authentication Works"
SQRL (proposed):
"It improves on protocols such as OAuth and OpenID by not requiring a third party to broker the transaction, and by not giving a server any secrets to protect, such as username and password."
Wikipedia's "SQRL"
Smart card
Hardware device possible features
Hardware devices
From Hugo Barrera's "How I secure my setup with a YubiKey" and comments on reddit:
Dmitry Frank's "Reliable, Secure and Universal Backup for U2F Token"
I've been thinking about whether I want to use a hardware device for accounts that support it (which is very few of my accounts), and coming out to "no". I'd have to have 2 or 3, in case I lost one; I'd have to register all 2/3 of them to each account; any time I wanted to register them to a new account I'd have to get the 3rd key out of deep storage; if I lost one while traveling the backup would be back home; and a laptop thief probably would get hardware key along with laptop.
I'd rather have some software mechanism, some kind of key-based challenge-response, that I can do via password manager. With maybe software TOTP in some cases (BIOS login, disk decryption, OS login, if those ever support it).
Two-Factor Authentication (2FA)
Some sites offer two-factor authentication: you can't log in unless you possess both knowledge (username and password) and a particular device (phone or dongle or token).
[Some additional pieces that really are just more types of knowledge: secret code to generate a TOTP, code-card, signature, security questions/answers, knowledge-based answers (KBA), recovery codes.]
[Some additional factors that could be used to make multi-factor authentication: what you are (biometrics), where you are (location), what you can do (whistle a tune or write a signature ?), what time it is, some confirming authority (another person or account who is authenticated already, or a cookie from previous login). In fact, I wonder why no sysadmin-type services support location as a factor: let me set my account to "allow login only from IP addresses 23.n.n.n/8" ?]
Forms of 2FA
[Some of this may be wrong; not sure about FIDO, U2F, and HOTP.]
[Mostly from most-secure to least-secure:]
- Hardware device that connects to computer via USB or NFC or something, and talks
crypto through client to a server (U2F, or FIDO2-WebAuthn-CTAP2).
- Hardware device that connects to computer via USB or NFC or something, and talks
crypto to the client (HMAC-SHA1 challenge/response). Smart card ?
- Software app on protected device (such as smartphone) that uses Bluetooth to connect
to computer, and talks crypto through client to a server (FIDO2-WebAuthn-CTAP2).
Dan Goodin's "How Apple, Google, and Microsoft will kill passwords and phishing in one stroke"
- Software app that uses network as a back-channel to communicate between devices.
WebAuthn-enabled, such as Windows Hello, Apple's Face ID/Touch ID, and Chrome WebAuthn ?
Camera-and-QR-code such as desktop WhatsApp login ?
- Hardware device that gives you a time-limited number (OATH TOTP) or counter-based number
(HOTP) to type in.
- Software app that gives you a time-limited number (OATH TOTP) to type in.
- Site uses custom app on your phone to send you a time-limited code to type in.
- Site uses email or WhatsApp to send you a time-limited code to type in or a link to click on.
Dmitry Frank's "Treating Email More Like a Password Manager" - Site uses SMS or voice call to your phone to send you a
time-limited code to type in or a link to click on.
- "Remember this device" via browser cookie.
- No 2FA: just username and password to type in.
- No 2FA: just username and password to type in, and username is your email address.
All of the OATH TOTP apps are compatible: Google Authenticator, andOTP, Authy, Authenticator Plus, more. I switched from Google Authenticator to andOTP because andOTP is open-source and not-Google, and Google Authenticator is specific to the phone (number) it is installed on. Also andOTP has a password protecting the app. Still I don't put sitenames and usernames and passwords into the app, so if someone gets the database they don't have enough info to find the accounts.
Some systems call themselves two-factor but really are just two-step, they don't require that you have a device such as a phone. They just send a code to your email or ask you more questions or something.
What sites support what kinds of 2FA ?
2FA Directory
Fido2, Webauthn and U2F Supported Sites
Chris Siebenmann's "What I understand about two-factor/multi-factor authentication (in 2023)"
Naomi Brockwell video
Daniel Miessler's "Not All MFA is Equal, and the Differences Matter a Lot"
The more I think about it, I'd just like to have software TOTP 2FA for everything (even BIOS login, disk decryption, OS login, web sites, etc). More secure than just a password, but can have the TOTP app on multiple devices, no hardware device to lose or phone that might stop working. Maybe key-based challenge-response for web sites, but again software-based.
A response I made to a "passwordless" system proposal:
Anticipate problems
None of the phone-number-specific solutions seem to work for cases where multiple people would be sharing the same account, or where you switch around a lot and carry only one of your multiple devices (phone, tablet, laptop) at a time. If you use a computer (non-phone) app, how would that work with multiple computers (home desktop, work desktop, laptop) ?
Convenience vs Security, limited by Choice
Lucian Constantin's "5 things you should know about two-factor authentication"
Stuart Schechter's "Before You Turn On Two-Factor Authentication ..."
Wes Siler's "Traveling With Two-Factor: How To Access Your Accounts Abroad"
Emily Price's "Always Carry Your Google Account's Two-Step Verification Codes With You"
Article saying that using 2FA is much more effective than complex passwords or avoiding password re-use:
Malwarebytes' "Why (almost) everything we told you about passwords was wrong"
Vivek Gite's "Use oathtool Linux command line for 2 step verification"
Important places to use two-factor authentication
- Email accounts.
- Domain/DNS account (especially if email goes through DNS MX record).
- Financial accounts: bank, credit card, PayPal, money-transfer, crypto-currency, Privacy.com, etc.
- Any item-purchasing accounts that are auto-connected to your bank account or credit card: Amazon or other retail, gaming, phone apps with in-app purchasing.
- Cloud accounts (Apple, Google, Microsoft) that could be used to remote-disable or remote-wipe your devices.
- Any account you'd really hate to lose, such as a social media account where you've built up a huge following, or a domain-registar account, or web-site-hosting account, or source-control account.
- Password manager (mainly, if cloud).
Downsides of two-factor authentication
- Maybe login doesn't work if you don't have cell service.
- If you lose your authentication device or it dies or it runs out of battery charge, now you can't access email etc through your computer too. Unless and until you have some emergency method, and it's close to hand.
- If you take your laptop somewhere, you have to take your 2FA device or phone with you too.
- Some carriers charge for SMS messages.
- Login is slower.
- Some forms of 2FA damage your privacy/anonymity, by tying account to a phone number.
- There may be a charge for the authentication device or service.
- If the authentication device plugs into a USB port, some places (internet cafe, library, etc) may not allow that.
Choosing not to use 2FA
- Don't care about the account; fast login more important than security.
- Only form of 2FA supported would damage your privacy/anonymity, by tying account to a phone number.
- Only form of 2FA supported requires something you don't have, such as phone or token.
- Need to have multiple people access one account, and the supported form of 2FA doesn't support that.
My experience with Symantec VIP hardware token starting 2/2018
/u/Rafficer's "How to set up automatic login with 2FA and Two-Password mode with KeePass 2"
(Using Linux) to make a software-TOTP equivalent of a Symantec VIP hardware-TOTP token
Patrick Lucas Austin's "How to Boost Your Game Console's Security"
Password Reset
Password reset is not the same as Login using 2FA, although they may use the same or similar mechanism (SMS, email, TOTP, voice call).
It might be hard to figure out the password reset algorithm used by some provider. They might use whatever email address or phone number you have associated with the account, even if you didn't expect that, and that data was not listed as "for reset purposes".
Having SMS or phone number as your form of password reset is dangerous: if someone steals your phone, they could initiate a password reset and take control of your account. If you have TOTP 2FA enabled on your account, doing password reset might require use of the 2FA, preventing the stolen-SIM attack. Also, your SIM should have a PIN set on it, so a thief can't move it to another phone.
After your phone is stolen, the thieves might send a phishing email to you, appearing to be from your phone company and saying "good news, we found your phone, login here to get it back". Don't give any login information; the thieves will use it to steal your account.
Password bypass:
Alex Pastel article about PayPal
But someone on reddit: "To be clear, it has to be enabled on a per-merchant basis, but once it is, it's just as bad as claimed. All you need is an email address and an SMS code and you can proceed with the purchase. All your 2FA and password settings are ignored. ... To my knowledge, this login can only be used during a purchase, not to access the main account."
Account Recovery

Account recovery is not the same as Password reset or Login using 2FA, although all three of those may use some of the same or similar mechanisms (SMS, email, TOTP, voice call).
The best forms of account recovery use unique codes generated for only that purpose. No one but you should have those codes. But of course you have to be smart enough to generate and record them before you need them.
It might be hard to figure out the account recovery algorithm used by some provider. They might use whatever email address or phone number you have associated with the account, even if you didn't expect that, and that data was not listed as "for recovery purposes".
Having SMS or phone number as your form of account recovery is dangerous: if someone steals your phone, they could initiate an account recovery and take control of your account. If you have TOTP 2FA enabled on your account, doing account recovery might require use of the 2FA, preventing the stolen-SIM attack. Also, your SIM should have a PIN set on it, so a thief can't move it to another phone.
Apparently, for Google accounts, the recovery codes would let you log in, but not let you remove SMS 2FA from the account. So if you have lost your phone, you'd better get another with same phone number, soon.
Using an email alias or catch-all address on an account is a little dangerous, because you probably can't originate a message from that address, so Support or account-recovery may be hindered. For example, suppose your registered email address for eBay is "myname+ebay@gmail.com". You may not be able to originate a new email from "myname+ebay@gmail.com", only from "myname@gmail.com". This may get rejected by eBay, for Support or account-recovery purposes, since it doesn't match the address on your account.
This won't be a problem if account-recovery only involves receiving a link in email, and clicking on the link.
After your phone is stolen, the thieves might send a phishing email to you, appearing to be from your phone company and saying "good news, we found your phone, login here to get it back". Don't give any login information; the thieves will use it to steal your account.
Linked Applications
This is a situation where you are authenticated to an account such as Google, and a related application asks for permission to access your Google information. It will use your existing session token.
If you say yes, it gains access that is not revoked by changing your credentials or enabling 2FA. You will have to find a special "linked applications" administration page and remove the app from there.
See section "4. OAuth Consent phishing" of Zsofia Zsakai's "How Attackers Bypass 2FA"
Miscellaneous
Scams
Multiple types of "Passwordless" login
- Use already-authenticated account to authenticate for new account.
E.g. send link to email.
- User sees biometric, but behind the scenes a password is being sent.
E.g. Apple's Face/Touch ID gating a stored password.
- Locally authenticate (with PIN or biometric) to a smartcard or token,
which then uses crypto keys to authenticate to the service.
E.g. smartcard-based authentication or FIDO2-based authentication.
Already-authenticated "Passwordless" login
The point of going password-less isn't to create better software and hardware security;
everyone gets this wrong. Password-less is meant to fix human-security.
People forget passwords and write them down, people reuse same password everywhere,
people share passwords when policy says they should not, law enforcement can try
and scare the password out of someone because they know it.
Password-less is meant to reduce the human insecurity of knowing and dealing with passwords.
Password-less is meant to reduce the human insecurity of knowing and dealing with passwords.
Secure Boot (as used in Linux)
Active Directory, LDAP, FreeIPA, Zentyal.
Steve Syfuhs' "Understanding Windows Authentication"
Affinidi's "Self-Sovereign Identity"
Self-destruct:
Michael Altfield's "LUKS Header Shredder (BusKill Self-Destruct Trigger)"