Password security

1) Traditional password is a fixed string, it does not change unless the user or the application changes it. This makes it vulnerable to brute force attack.

2) Hence, password hashing method such as bcrypt is introduced to lower the efficiency of brute force attack even with increased compute power. Rate limiting and max trial attempts are added for the same reason.

3) However, all the above does not help if the password is leaked, it grants immediate access to third party.

4) In order to overcome this, multi-factors authentication is invented. On top of username/password pair, the user identify has to be validated via SMS, Email or Authenticator App. Some initiative also provides leak password database which suggests user to not use a password that has been involve in a leak incident before.

5) The concept of multi-factors authentication can also be enhanced by combining it with password. For example, the password that you submit is a combination of 6 digits multi-factor code + your actual password. This guarantee a "different" password every 10-15 seconds depending on the TTL of the multi-factor code.

6) Ultimately, the best password security is no password. Tech giants such as Apple, Microsoft and Google have committed to support a common passwordless framework - Fido. Check Fido and how it works here.