Introduction to Password Security
Passwords are the first line of defense in cybersecurity. They protect our digital identities, sensitive data, and critical systems. Yet, despite their importance, passwords remain one of the weakest links in security chains. Understanding password security—how to create strong passwords, how they're compromised, and how to protect them—is essential for everyone in the digital age.
Key Concepts
- Authentication: Verifying identity through something you know (password)
- Credential Stuffing: Using stolen credentials across multiple services
- Password Hashing: Storing passwords securely using cryptographic functions
- Multi-Factor Authentication: Adding additional layers beyond passwords
- Password Managers: Tools that generate and store complex passwords
1. The Anatomy of a Password
Password Strength Analysis
import re
import math
import hashlib
import secrets
import string
from typing import Tuple, List, Dict
import time
class PasswordAnalyzer:
"""Analyze and evaluate password strength"""
def __init__(self):
self.common_passwords = self._load_common_passwords()
def _load_common_passwords(self):
"""Load list of common passwords (simplified)"""
return {
'password', '123456', 'qwerty', 'admin', 'letmein',
'welcome', 'monkey', 'dragon', 'master', 'sunshine',
'football', 'baseball', 'superman', 'trustno1', 'shadow'
}
def check_strength(self, password: str) -> Dict:
"""Comprehensive password strength analysis"""
results = {
'score': 0,
'strength': 'weak',
'issues': [],
'good_points': [],
'entropy': 0,
'crack_time': 'instant',
'length': len(password)
}
# Length check
if len(password) < 8:
results['issues'].append("Too short (minimum 8 characters)")
results['score'] += 0
elif len(password) < 12:
results['score'] += 1
results['good_points'].append("Good length (8-11 chars)")
else:
results['score'] += 2
results['good_points'].append("Excellent length (12+ chars)")
# Character variety
has_lower = any(c.islower() for c in password)
has_upper = any(c.isupper() for c in password)
has_digit = any(c.isdigit() for c in password)
has_special = any(c in string.punctuation for c in password)
variety_count = sum([has_lower, has_upper, has_digit, has_special])
if variety_count >= 3:
results['score'] += 2
results['good_points'].append("Good character variety")
elif variety_count == 2:
results['score'] += 1
results['good_points'].append("Fair character variety")
else:
results['issues'].append("Limited character variety")
# Check for common patterns
if password.lower() in self.common_passwords:
results['issues'].append("Common password - easily guessed")
results['score'] = 0
# Check for sequential patterns
if self._has_sequential(password):
results['issues'].append("Contains sequential characters (1234, abcd)")
results['score'] -= 1
# Check for repeated characters
if self._has_repeated(password):
results['issues'].append("Contains repeated characters (aaa, 111)")
results['score'] -= 1
# Check for keyboard patterns
if self._is_keyboard_pattern(password):
results['issues'].append("Keyboard pattern detected (qwerty, asdf)")
results['score'] -= 1
# Check for personal info patterns
if self._has_personal_info(password):
results['issues'].append("Contains personal information pattern")
results['score'] -= 1
# Calculate entropy
results['entropy'] = self._calculate_entropy(password, variety_count)
# Calculate crack time estimate
results['crack_time'] = self._estimate_crack_time(results['entropy'])
# Determine overall strength
if results['score'] <= 0:
results['strength'] = 'very weak'
elif results['score'] <= 2:
results['strength'] = 'weak'
elif results['score'] <= 4:
results['strength'] = 'moderate'
elif results['score'] <= 6:
results['strength'] = 'strong'
else:
results['strength'] = 'very strong'
return results
def _has_sequential(self, password: str) -> bool:
"""Check for sequential characters"""
password_lower = password.lower()
sequences = ['123', '234', '345', '456', '567', '678', '789',
'abc', 'bcd', 'cde', 'def', 'efg', 'fgh', 'ghi',
'qwe', 'wer', 'ert', 'rty', 'tyu', 'yui', 'uio']
for seq in sequences:
if seq in password_lower:
return True
return False
def _has_repeated(self, password: str) -> bool:
"""Check for repeated characters"""
for i in range(len(password) - 2):
if password[i] == password[i+1] == password[i+2]:
return True
return False
def _is_keyboard_pattern(self, password: str) -> bool:
"""Check for keyboard patterns"""
keyboard_patterns = [
'qwerty', 'asdfgh', 'zxcvbn', 'qwertyuiop',
'asdfghjkl', 'zxcvbnm', '1qaz2wsx', 'q1w2e3'
]
password_lower = password.lower()
for pattern in keyboard_patterns:
if pattern in password_lower:
return True
return False
def _has_personal_info(self, password: str) -> bool:
"""Check for personal information patterns"""
personal_patterns = [
r'\d{4}', # Year
r'[A-Za-z]+[0-9]{2,4}', # Name + year
]
for pattern in personal_patterns:
if re.search(pattern, password, re.IGNORECASE):
return True
return False
def _calculate_entropy(self, password: str, variety_count: int) -> float:
"""Calculate password entropy in bits"""
char_sets = {
1: 26, # lowercase only
2: 52, # lowercase + uppercase
3: 62, # + digits
4: 94 # + special characters
}
char_set_size = char_sets.get(variety_count, 94)
entropy = len(password) * math.log2(char_set_size)
return round(entropy, 2)
def _estimate_crack_time(self, entropy: float) -> str:
"""Estimate time to crack password"""
# Assuming 1 billion attempts per second (modern GPU)
attempts_per_second = 1_000_000_000
combinations = 2 ** entropy
seconds = combinations / attempts_per_second
if seconds < 60:
return "instant"
elif seconds < 3600:
return f"{seconds/60:.0f} minutes"
elif seconds < 86400:
return f"{seconds/3600:.0f} hours"
elif seconds < 31536000:
return f"{seconds/86400:.0f} days"
elif seconds < 3153600000:
return f"{seconds/31536000:.0f} months"
else:
return f"{seconds/31536000:.0f} years"
# Test the password analyzer
analyzer = PasswordAnalyzer()
test_passwords = [
"password",
"123456",
"qwerty123",
"MyP@ssw0rd2024",
"CorrectHorseBatteryStaple",
"aB3$fG7#kL9@",
"admin123"
]
print("Password Strength Analysis")
print("=" * 60)
for pwd in test_passwords:
result = analyzer.check_strength(pwd)
print(f"\nPassword: {pwd}")
print(f" Strength: {result['strength'].upper()}")
print(f" Score: {result['score']}/8")
print(f" Entropy: {result['entropy']} bits")
print(f" Estimated crack time: {result['crack_time']}")
if result['good_points']:
print(f" ✓ Good: {', '.join(result['good_points'])}")
if result['issues']:
print(f" ✗ Issues: {', '.join(result['issues'])}")
2. How Passwords Are Compromised
Common Attack Vectors
class PasswordAttacks:
"""Common password attack vectors and their mechanisms"""
@staticmethod
def explain_attacks():
"""Explain various password attack methods"""
attacks = {
"Brute Force": {
"method": "Try every possible combination",
"time": "Exponential - depends on length and complexity",
"defense": "Long passwords, account lockout, rate limiting"
},
"Dictionary Attack": {
"method": "Try common words, names, and patterns",
"time": "Fast - millions of attempts per second",
"defense": "Avoid common words, use passphrases"
},
"Credential Stuffing": {
"method": "Use stolen credentials from other breaches",
"time": "Automated, can be very fast",
"defense": "Unique passwords per site, 2FA"
},
"Phishing": {
"method": "Trick users into revealing passwords",
"time": "Psychological, varies",
"defense": "Education, 2FA, anti-phishing tools"
},
"Keylogging": {
"method": "Record keystrokes via malware",
"time": "Real-time",
"defense": "Antivirus, hardware tokens, password managers"
},
"Rainbow Table": {
"method": "Pre-computed hash lookups",
"time": "Fast after table generation",
"defense": "Salting, strong hashing algorithms"
},
"Man-in-the-Middle": {
"method": "Intercept communication",
"time": "Real-time",
"defense": "HTTPS, TLS, VPN"
},
"Shoulder Surfing": {
"method": "Watch user type password",
"time": "Social engineering",
"defense": "Awareness, privacy screens"
}
}
print("Password Attack Vectors")
print("=" * 60)
for name, details in attacks.items():
print(f"\n🔓 {name}")
print(f" Method: {details['method']}")
print(f" Speed: {details['time']}")
print(f" Defense: {details['defense']}")
@staticmethod
def password_cracking_speed():
"""Demonstrate password cracking speeds"""
print("\nPassword Cracking Speed Estimates")
print("=" * 60)
print("\nHashes per second (modern hardware):")
speeds = {
"MD5 (GPU)": "50+ billion/sec",
"SHA1 (GPU)": "20+ billion/sec",
"bcrypt (cost 10)": "~100,000/sec",
"Argon2id (default)": "~10,000/sec",
"PBKDF2 (100k iterations)": "~500,000/sec"
}
for algorithm, speed in speeds.items():
print(f" • {algorithm}: {speed}")
print("\nTime to crack 8-character password:")
scenarios = {
"Only lowercase (26^8)": "~2 seconds",
"Lower + uppercase (52^8)": "~2 minutes",
"Add numbers (62^8)": "~15 minutes",
"Full ASCII (95^8)": "~6 hours",
"12-char random (95^12)": "~5,000 years"
}
for scenario, time in scenarios.items():
print(f" • {scenario}: {time}")
PasswordAttacks.explain_attacks()
PasswordAttacks.password_cracking_speed()
Password Hash Demonstration
class PasswordHashing:
"""Demonstrate password hashing and salting"""
@staticmethod
def hash_demo():
"""Show how passwords are hashed"""
print("Password Hashing Demonstration")
print("=" * 60)
passwords = ["password123", "Password123!", "mySecureP@ss"]
print("\nSimple Hash (MD5 - NOT RECOMMENDED):")
for pwd in passwords:
md5_hash = hashlib.md5(pwd.encode()).hexdigest()
print(f" {pwd:20} → {md5_hash}")
print("\nSecure Hash (SHA-256):")
for pwd in passwords:
sha256_hash = hashlib.sha256(pwd.encode()).hexdigest()
print(f" {pwd:20} → {sha256_hash[:32]}...")
print("\n" + "="*60)
print("Key Point: Same password = Same hash (without salt)")
print("This is why rainbow tables work!")
@staticmethod
def salting_demo():
"""Demonstrate password salting"""
print("\n" + "="*60)
print("Password Salting Demonstration")
print("="*60)
password = "MySecret123"
print(f"\nPassword: {password}")
print("\nWithout salt (same password = same hash):")
for i in range(3):
hash_val = hashlib.sha256(password.encode()).hexdigest()
print(f" Attempt {i+1}: {hash_val[:32]}...")
print("\nWith salt (different salt = different hash):")
for i in range(3):
salt = secrets.token_hex(8)
salted = password + salt
hash_val = hashlib.sha256(salted.encode()).hexdigest()
print(f" Salt: {salt}")
print(f" Hash: {hash_val[:32]}...\n")
@staticmethod
def bcrypt_demo():
"""Demonstrate bcrypt hashing (conceptual)"""
print("\n" + "="*60)
print("bcrypt Hashing (Adaptive) Demonstration")
print("="*60)
print("""
bcrypt Features:
• Built-in salt (automatically generated)
• Configurable work factor (cost)
• Adaptive (can be made slower over time)
• Resistant to GPU cracking
• Industry standard for password storage
Example bcrypt hash format:
$2b$12$KIXx5yJZxP8Q.pU9vXzQdOS9XqzqQV.knR2tFpUvWQJYzUJ7zJ9Ly
Components:
• $2b$ = bcrypt version
• 12 = cost factor (2^12 iterations = 4096)
• KIXx5yJZxP8Q.pU9vXzQdO = salt (22 characters)
• S9XqzqQV.knR2tFpUvWQJYzUJ7zJ9Ly = hash (31 characters)
""")
PasswordHashing.hash_demo()
PasswordHashing.salting_demo()
PasswordHashing.bcrypt_demo()
3. Creating Strong Passwords
Password Generation
class PasswordGenerator:
"""Generate strong, secure passwords"""
def __init__(self):
self.lowercase = string.ascii_lowercase
self.uppercase = string.ascii_uppercase
self.digits = string.digits
self.special = "!@#$%^&*()_+-=[]{}|;:,.<>?"
self.ambiguous = "il1Lo0O"
def generate_random(self, length: int = 16,
use_upper: bool = True,
use_digits: bool = True,
use_special: bool = True,
avoid_ambiguous: bool = True) -> str:
"""Generate random password"""
chars = self.lowercase
if use_upper:
chars += self.uppercase
if use_digits:
chars += self.digits
if use_special:
chars += self.special
if avoid_ambiguous:
chars = ''.join(c for c in chars if c not in self.ambiguous)
password = ''.join(secrets.choice(chars) for _ in range(length))
return password
def generate_passphrase(self, words: int = 4,
separator: str = '-',
capitalize: bool = True,
add_number: bool = True) -> str:
"""Generate memorable passphrase"""
word_list = [
'apple', 'mountain', 'river', 'forest', 'ocean', 'thunder',
'sunset', 'morning', 'silver', 'golden', 'crystal', 'shadow',
'phoenix', 'dragon', 'eagle', 'falcon', 'raven', 'wolf',
'tiger', 'lion', 'bear', 'hawk', 'storm', 'lightning',
'thunder', 'galaxy', 'nebula', 'comet', 'asteroid'
]
# Use secrets for randomness
selected = [secrets.choice(word_list) for _ in range(words)]
if capitalize:
selected = [w.capitalize() for w in selected]
passphrase = separator.join(selected)
if add_number:
passphrase += str(secrets.randbelow(100))
return passphrase
def generate_pin(self, length: int = 6) -> str:
"""Generate numeric PIN"""
return ''.join(secrets.choice(self.digits) for _ in range(length))
def check_password_requirements(self, password: str,
min_length: int = 12,
require_upper: bool = True,
require_lower: bool = True,
require_digit: bool = True,
require_special: bool = True) -> Tuple[bool, List[str]]:
"""Check if password meets requirements"""
issues = []
if len(password) < min_length:
issues.append(f"Minimum {min_length} characters required")
if require_upper and not any(c.isupper() for c in password):
issues.append("At least one uppercase letter required")
if require_lower and not any(c.islower() for c in password):
issues.append("At least one lowercase letter required")
if require_digit and not any(c.isdigit() for c in password):
issues.append("At least one digit required")
if require_special and not any(c in string.punctuation for c in password):
issues.append("At least one special character required")
return len(issues) == 0, issues
# Generate some passwords
generator = PasswordGenerator()
print("Strong Password Generator")
print("=" * 60)
print("\nRandom Passwords:")
for i in range(5):
pwd = generator.generate_random(16)
result = analyzer.check_strength(pwd)
print(f" {pwd:20} → {result['strength']} ({result['entropy']} bits)")
print("\nMemorable Passphrases:")
for i in range(5):
phrase = generator.generate_passphrase(4)
result = analyzer.check_strength(phrase)
print(f" {phrase:25} → {result['strength']} ({result['entropy']} bits)")
print("\nPIN Codes:")
for i in range(5):
pin = generator.generate_pin(6)
result = analyzer.check_strength(pin)
print(f" {pin} → {result['strength']}")
Password Patterns to Avoid
class PasswordPatterns:
"""Common password patterns to avoid"""
@staticmethod
def bad_patterns():
"""List password patterns that should be avoided"""
patterns = {
"Sequential Numbers": ["123456", "12345678", "654321"],
"Keyboard Patterns": ["qwerty", "asdfgh", "zxcvbn", "1qaz2wsx"],
"Common Words": ["password", "admin", "letmein", "welcome"],
"Personal Info": ["name+birthday", "pet+year", "nickname+123"],
"Repeated Characters": ["aaaaaa", "111111", "abcabc"],
"Simple Variations": ["password1", "Password!", "P@ssw0rd"]
}
print("Password Patterns to AVOID")
print("=" * 60)
for pattern, examples in patterns.items():
print(f"\n• {pattern}:")
for ex in examples[:3]:
print(f" {ex}")
@staticmethod
def common_mistakes():
"""Common password creation mistakes"""
print("\nCommon Password Creation Mistakes")
print("=" * 60)
mistakes = [
"Using the same password across multiple sites",
"Using dictionary words or common phrases",
"Using personal information (names, birthdays)",
"Writing passwords down on paper or sticky notes",
"Storing passwords in unencrypted files",
"Sharing passwords via email or messaging",
"Using short passwords (<12 characters)",
"Using only lowercase letters",
"Using predictable substitutions (P@ssw0rd)",
"Not using 2FA when available"
]
for i, mistake in enumerate(mistakes, 1):
print(f" {i}. {mistake}")
PasswordPatterns.bad_patterns()
PasswordPatterns.common_mistakes()
4. Password Management
Password Manager Implementation
import json
import os
from cryptography.fernet import Fernet
from getpass import getpass
class PasswordManager:
"""Simple encrypted password manager (educational)"""
def __init__(self, master_password: str):
self.master_password = master_password
self.key = self._derive_key(master_password)
self.cipher = Fernet(self.key)
self.vault_file = "password_vault.enc"
self.vault = self._load_vault()
def _derive_key(self, password: str) -> bytes:
"""Derive encryption key from master password"""
# In production, use PBKDF2 or Argon2id
# This is simplified for demonstration
key = hashlib.sha256(password.encode()).digest()
return key
def _load_vault(self) -> dict:
"""Load encrypted vault"""
if os.path.exists(self.vault_file):
try:
with open(self.vault_file, 'rb') as f:
encrypted_data = f.read()
decrypted = self.cipher.decrypt(encrypted_data)
return json.loads(decrypted)
except Exception:
return {"entries": []}
return {"entries": []}
def _save_vault(self):
"""Save encrypted vault"""
encrypted = self.cipher.encrypt(json.dumps(self.vault).encode())
with open(self.vault_file, 'wb') as f:
f.write(encrypted)
def add_entry(self, site: str, username: str, password: str, notes: str = ""):
"""Add a password entry"""
entry = {
"site": site,
"username": username,
"password": password,
"notes": notes,
"created": time.time()
}
self.vault["entries"].append(entry)
self._save_vault()
print(f"✓ Added entry for {site}")
def get_entry(self, site: str) -> dict:
"""Retrieve password entry"""
for entry in self.vault["entries"]:
if entry["site"].lower() == site.lower():
return entry
return None
def list_entries(self):
"""List all stored entries"""
if not self.vault["entries"]:
print("No entries found")
return
print("\nStored Passwords:")
print("-" * 50)
for entry in self.vault["entries"]:
print(f" • {entry['site']}: {entry['username']}")
def generate_and_store(self, site: str, username: str):
"""Generate strong password and store it"""
generator = PasswordGenerator()
password = generator.generate_random(20)
self.add_entry(site, username, password)
# Copy to clipboard (conceptual)
print(f"Generated password: {password}")
print("(Password copied to clipboard)")
return password
# Example usage (conceptual - would require actual execution)
# pm = PasswordManager(getpass("Master Password: "))
# pm.generate_and_store("github.com", "myusername")
Password Hygiene Checklist
class PasswordHygiene:
"""Best practices for password management"""
@staticmethod
def checklist():
"""Password hygiene checklist"""
print("Password Hygiene Checklist")
print("=" * 60)
items = [
("Use unique passwords", "Every account has a different password"),
("Use long passwords", "Minimum 12-16 characters, preferably passphrases"),
("Use a password manager", "Generate and store complex passwords securely"),
("Enable 2FA/MFA", "Add second factor when available"),
("Regular password changes", "Change when compromised, not arbitrarily"),
("Check for breaches", "Use haveibeenpwned.com to check compromised accounts"),
("Avoid password reuse", "Never reuse passwords across important accounts"),
("Secure recovery options", "Keep recovery emails/phone numbers updated"),
("Monitor accounts", "Watch for unauthorized access"),
("Educate yourself", "Stay informed about phishing and social engineering")
]
for i, (item, description) in enumerate(items, 1):
print(f"\n{i}. {item}")
print(f" → {description}")
@staticmethod
def breach_check_demo():
"""Demonstrate checking for breached passwords"""
print("\n" + "="*60)
print("Breached Password Check")
print("="*60)
print("""
Using Have I Been Pwned API (k-anonymity model):
1. Password is hashed with SHA-1
2. First 5 characters of hash are sent to API
3. API returns all hash suffixes with that prefix
4. Client checks if full hash is in the list
5. Your password is never sent to the server
Example:
Password: "password123"
SHA-1: 4c9e5e7f5b8e9c7d1a2b3c4d5e6f7a8b9c0d1e2f
Prefix: 4c9e5
API returns: [e7f5b8e9c7d1a2b3c4d5e6f7a8b9c0d1e2f, ...]
If full hash matches, password has been seen in breaches.
""")
PasswordHygiene.checklist()
PasswordHygiene.breach_check_demo()
5. Multi-Factor Authentication (MFA)
class MFA:
"""Multi-Factor Authentication concepts"""
@staticmethod
def explain_mfa():
"""Explain MFA types and benefits"""
print("Multi-Factor Authentication (MFA)")
print("=" * 60)
factors = {
"Something You Know": {
"examples": ["Password", "PIN", "Security questions"],
"strength": "Weak (can be guessed or phished)"
},
"Something You Have": {
"examples": ["SMS code", "Authenticator app", "Hardware token", "Smart card"],
"strength": "Strong (physical possession required)"
},
"Something You Are": {
"examples": ["Fingerprint", "Face ID", "Retina scan", "Voice recognition"],
"strength": "Strong (biometric unique to user)"
},
"Something You Do": {
"examples": ["Typing pattern", "Mouse movement", "Gait recognition"],
"strength": "Moderate (behavioral biometrics)"
},
"Somewhere You Are": {
"examples": ["Location-based", "IP address", "Geofencing"],
"strength": "Weak (can be spoofed)"
}
}
print("\nAuthentication Factors:")
for factor, details in factors.items():
print(f"\n🔐 {factor}")
print(f" Examples: {', '.join(details['examples'])}")
print(f" Strength: {details['strength']}")
print("\n" + "="*60)
print("MFA Methods (from strongest to weakest):")
methods = [
("Hardware Security Key", "FIDO2/WebAuthn, YubiKey - phishing resistant"),
("Authenticator App", "TOTP (Google Authenticator, Authy) - offline"),
("Push Notification", "Duo, Microsoft Authenticator - user confirmation"),
("SMS/Text Message", "Phone number - vulnerable to SIM swapping"),
("Email Code", "Email - vulnerable to account compromise"),
("Backup Codes", "One-time use, store securely")
]
for method, description in methods:
print(f" • {method}: {description}")
MFA.explain_mfa()
TOTP (Time-based One-Time Password) Demonstration
import pyotp # Requires: pip install pyotp
class TOTPDemo:
"""Demonstrate TOTP implementation"""
@staticmethod
def generate_secret():
"""Generate a TOTP secret"""
secret = pyotp.random_base32()
print(f"Generated Secret: {secret}")
return secret
@staticmethod
def generate_qr_uri(secret, issuer, account):
"""Generate URI for QR code"""
totp = pyotp.TOTP(secret)
uri = totp.provisioning_uri(name=account, issuer_name=issuer)
print(f"\nOTP URI: {uri}")
print("(This URI can be converted to QR code for scanning)")
return uri
@staticmethod
def verify_code(secret, code):
"""Verify TOTP code"""
totp = pyotp.TOTP(secret)
is_valid = totp.verify(code)
return is_valid
@staticmethod
def demo():
"""Run TOTP demonstration"""
print("TOTP (Time-based One-Time Password) Demo")
print("=" * 60)
print("""
TOTP Algorithm:
Code = Truncate(HMAC-SHA1(Secret, Time / 30))
• Time step: 30 seconds
• 6-8 digit codes
• Time-based, not counter-based
• Implemented in Google Authenticator, Authy, etc.
""")
# Generate a secret
secret = TOTPDemo.generate_secret()
# Generate a code
totp = pyotp.TOTP(secret)
code = totp.now()
print(f"\nCurrent TOTP Code: {code}")
print(f"Valid for next {totp.interval - (time.time() % totp.interval):.0f} seconds")
# Verify
is_valid = totp.verify(code)
print(f"\nVerification: {'✓ Valid' if is_valid else '✗ Invalid'}")
# Generate backup codes
print("\nBackup Codes (concept):")
backup_codes = [f"{secrets.randbelow(100000):05d}" for _ in range(10)]
for code in backup_codes:
print(f" • {code}")
6. Enterprise Password Security
Password Policy Implementation
class PasswordPolicy:
"""Enterprise password policy implementation"""
def __init__(self):
self.policy = {
"min_length": 12,
"max_length": 128,
"require_uppercase": True,
"require_lowercase": True,
"require_digits": True,
"require_special": True,
"max_age_days": 90,
"prevent_reuse": 5,
"lockout_attempts": 5,
"lockout_minutes": 30,
"password_history": []
}
def validate_password(self, password: str) -> Tuple[bool, List[str]]:
"""Validate password against policy"""
errors = []
if len(password) < self.policy["min_length"]:
errors.append(f"Minimum length: {self.policy['min_length']} characters")
if len(password) > self.policy["max_length"]:
errors.append(f"Maximum length: {self.policy['max_length']} characters")
if self.policy["require_uppercase"] and not any(c.isupper() for c in password):
errors.append("At least one uppercase letter required")
if self.policy["require_lowercase"] and not any(c.islower() for c in password):
errors.append("At least one lowercase letter required")
if self.policy["require_digits"] and not any(c.isdigit() for c in password):
errors.append("At least one digit required")
if self.policy["require_special"] and not any(c in string.punctuation for c in password):
errors.append("At least one special character required")
# Check against password history
if password in self.policy["password_history"]:
errors.append("Password has been used recently")
return len(errors) == 0, errors
def record_password(self, password: str):
"""Record password in history"""
# In production, store hashed passwords, not plaintext
self.policy["password_history"].append(password)
# Keep only last N passwords
self.policy["password_history"] = self.policy["password_history"][-self.policy["prevent_reuse"]:]
def check_password_age(self, last_changed: float) -> bool:
"""Check if password needs to be changed"""
days_since_change = (time.time() - last_changed) / 86400
return days_since_change < self.policy["max_age_days"]
def get_policy_summary(self) -> str:
"""Get policy summary"""
return f"""
Password Policy Summary:
• Minimum Length: {self.policy['min_length']}
• Maximum Length: {self.policy['max_length']}
• Uppercase Required: {self.policy['require_uppercase']}
• Lowercase Required: {self.policy['require_lowercase']}
• Digits Required: {self.policy['require_digits']}
• Special Characters: {self.policy['require_special']}
• Max Age: {self.policy['max_age_days']} days
• Password History: {self.policy['prevent_reuse']}
• Lockout: {self.policy['lockout_attempts']} attempts / {self.policy['lockout_minutes']} minutes
"""
# Example policy
policy = PasswordPolicy()
print(policy.get_policy_summary())
test_passwords = [
"weak",
"Short1!",
"ThisIsALongPassword123!",
"NoSpecialChars123",
"ValidP@ssw0rd123!"
]
print("\nPolicy Validation Results:")
for pwd in test_passwords:
valid, errors = policy.validate_password(pwd)
status = "✓" if valid else "✗"
print(f"\n{status} {pwd}")
if errors:
for error in errors:
print(f" • {error}")
7. Real-World Password Breaches
class BreachAnalysis:
"""Analysis of major password breaches"""
@staticmethod
def major_breaches():
"""List major password breaches"""
breaches = [
{
"name": "RockYou (2009)",
"records": "32 million",
"method": "SQL injection",
"lesson": "Plaintext storage - passwords exposed"
},
{
"name": "Adobe (2013)",
"records": "153 million",
"method": "Weak encryption",
"lesson": "Poor encryption (same IV) allowed reverse engineering"
},
{
"name": "Yahoo (2013-2014)",
"records": "3 billion",
"method": "State-sponsored attack",
"lesson": "Outdated security, slow detection"
},
{
"name": "LinkedIn (2016)",
"records": "167 million",
"method": "Weak hashing (SHA1)",
"lesson": "No salt, weak hashing"
},
{
"name": "Collection #1-5 (2019)",
"records": "2.2 billion",
"method": "Aggregated breaches",
"lesson": "Credential reuse is dangerous"
},
{
"name": "Facebook (2019)",
"records": "533 million",
"method": "Unsecured database",
"lesson": "Poor security controls"
}
]
print("Major Password Breaches")
print("=" * 70)
for breach in breaches:
print(f"\n📁 {breach['name']}")
print(f" Records: {breach['records']}")
print(f" Method: {breach['method']}")
print(f" Lesson: {breach['lesson']}")
@staticmethod
def most_common_breached_passwords():
"""Most common passwords found in breaches"""
common = [
("123456", "32M+ times"),
("password", "20M+ times"),
("123456789", "15M+ times"),
("qwerty", "10M+ times"),
("12345678", "8M+ times"),
("111111", "6M+ times"),
("12345", "5M+ times"),
("admin", "4M+ times"),
("letmein", "3M+ times"),
("welcome", "2.5M+ times")
]
print("\n" + "="*70)
print("Most Common Compromised Passwords")
print("="*70)
print("Password Occurrences")
print("-" * 40)
for pwd, count in common:
print(f"{pwd:16} {count}")
BreachAnalysis.major_breaches()
BreachAnalysis.most_common_breached_passwords()
8. Password Security Best Practices
class BestPractices:
"""Password security best practices"""
@staticmethod
def dos_and_donts():
"""Password security dos and don'ts"""
print("Password Security: DOs and DON'Ts")
print("=" * 60)
print("\n✅ DO:")
dos = [
"Use long passphrases (4+ random words)",
"Use a password manager",
"Enable 2FA/MFA everywhere possible",
"Use unique passwords for each account",
"Check if your accounts have been breached",
"Use hardware security keys for critical accounts",
"Keep recovery options up to date",
"Monitor account activity for suspicious access"
]
for item in dos:
print(f" • {item}")
print("\n❌ DON'T:")
donts = [
"Use the same password across multiple sites",
"Use dictionary words or common patterns",
"Use personal information (names, birthdays)",
"Write passwords on sticky notes",
"Share passwords via email or text",
"Use short passwords (<12 characters)",
"Store passwords in browsers without master password",
"Ignore security alerts or breach notifications"
]
for item in donts:
print(f" • {item}")
@staticmethod
def password_manager_recommendations():
"""Password manager recommendations"""
print("\n" + "="*60)
print("Password Manager Recommendations")
print("="*60)
managers = [
("Bitwarden", "Open-source, self-hostable, free tier"),
("1Password", "Premium, family plans, excellent UI"),
("Dashlane", "Built-in VPN, dark web monitoring"),
("KeePass", "Open-source, offline, highly secure"),
("Apple Keychain", "Built-in, ecosystem integration"),
("LastPass", "Popular, but recent security concerns")
]
print("\nPopular Password Managers:")
for name, description in managers:
print(f" • {name}: {description}")
print("\nFeatures to look for:")
features = [
"End-to-end encryption",
"Zero-knowledge architecture",
"Cross-platform support",
"Secure sharing capabilities",
"Breach monitoring",
"2FA/MFA support",
"Password generation",
"Autofill functionality"
]
for feature in features:
print(f" • {feature}")
BestPractices.dos_and_donts()
BestPractices.password_manager_recommendations()
9. Future of Authentication
class FutureAuthentication:
"""Emerging authentication technologies"""
@staticmethod
def emerging_technologies():
"""Discuss future password alternatives"""
print("Future of Authentication")
print("=" * 60)
technologies = {
"Passkeys (FIDO2/WebAuthn)": {
"description": "Cryptographic keys stored on devices",
"benefits": "Phishing-resistant, no passwords, biometric protected"
},
"Passwordless Email/SMS": {
"description": "Magic links or one-time codes",
"benefits": "No passwords to remember or steal"
},
"Biometric Authentication": {
"description": "Fingerprint, face, voice, behavioral",
"benefits": "Unique to user, convenient"
},
"Continuous Authentication": {
"description": "Always verifying based on behavior",
"benefits": "Active session security"
},
"Zero-Knowledge Proofs": {
"description": "Prove knowledge without revealing",
"benefits": "Mathematically secure authentication"
},
"Blockchain Identity": {
"description": "Decentralized identity management",
"benefits": "User-controlled, no central authority"
}
}
for name, details in technologies.items():
print(f"\n🔐 {name}")
print(f" {details['description']}")
print(f" Benefits: {details['benefits']}")
@staticmethod
def passkeys_explained():
"""Explain passkeys in detail"""
print("\n" + "="*60)
print("Passkeys (FIDO2/WebAuthn) Explained")
print("="*60)
print("""
What are Passkeys?
• Modern, passwordless authentication standard
• Uses public-key cryptography
• Each account has a unique key pair
• Private key stays on user's device
• Public key stored on service
How it works:
1. User creates account
2. Device generates key pair
3. Public key sent to service
4. Login: service challenges device
5. Device signs challenge with private key
6. Service verifies signature
Benefits:
• Phishing-resistant (won't work on fake sites)
• No passwords to remember
• Biometric-protected
• Synchronized across devices
• Works with existing accounts
Supported by: Apple (iOS 16+), Google (Android 14+), Microsoft (Windows 11)
Adopted by: Google, GitHub, PayPal, etc.
""")
FutureAuthentication.emerging_technologies()
FutureAuthentication.passkeys_explained()
Conclusion
Password security is fundamental to protecting our digital lives. This comprehensive guide has covered:
Key Takeaways
- Password Strength: Length matters more than complexity
- Unique Passwords: Never reuse passwords across sites
- Password Managers: Essential for managing many complex passwords
- 2FA/MFA: Always enable when available
- Breach Awareness: Monitor if your accounts have been compromised
- Phishing: Be vigilant against social engineering
- Passkeys: The future of passwordless authentication
Password Security Checklist
- [ ] Use a password manager
- [ ] Create unique passwords for each account
- [ ] Use passphrases (4+ random words)
- [ ] Enable 2FA on all important accounts
- [ ] Use hardware security keys for critical accounts
- [ ] Check haveibeenpwned.com regularly
- [ ] Never share passwords
- [ ] Keep recovery options current
- [ ] Monitor account activity
- [ ] Stay informed about security threats
Final Thoughts
Passwords remain the primary authentication method for the foreseeable future. By following best practices—using password managers, enabling 2FA, and creating strong, unique passwords—you can dramatically reduce your risk of account compromise. Remember: security is not about perfection; it's about making it harder for attackers to succeed.