Overview#Password Authentication is an Authentication Method which implements a UserId and password combination for credentials What To Do About Passwords and are there any effective alternatives?
Password Authentication Security Considerations#Password Authentication is generally not considered "Sufficient" for the protection of any Protected Resource.
For years, information security experts have emphasized the importance of practicing good password hygiene—that is, using a unique and unguessable password for every individual site on which Traditional Registration is required. However, these Password Complexity elements fail to recognize the Human Element.
humans and Password Reuse happens a lot more frequently than security professionals would ever like to admit. In fact, a 2011 analysis by Troy Hunt, using real data from accounts that were compromised at Sony and Gawker in 2010, revealed that 67% of users registered at both Gawker and an affected Sony site used the same password at both sites. People who registered at two separate Sony sites reused the same password 92% of the time. And it’s hard to blame them, as the task of remembering "strong" and unique passwords across the number of sites where your users are registered is nearly impossible.
The net result of this issue is that even if you believe you have impenetrable defenses against hackers, your users and your data are vulnerable if a completely different site is hacked, due to password reuse/fatigue.
Furthermore, it’s a rare company that truly has an impenetrable defense against hackers. In addition to security issues, implementing Traditional Registration on a site also increases costs. Not only is there a cost to securing and encrypting registration data to prevent the kind of security breaches that have become all too common, but there are support costs, as well. Anyone running a site that requires users to sign in knows that the number one driver of customer support calls is users who can’t remember their credentials. In fact, Forrester has reported that password reset requests comprise 20-50% of the customer support volume for an online business, at an average cost of $70 per password-related support request. Ironically, the very reason why these users can’t sign in is often because they were practicing good password hygiene and cannot remember their secure passwords.
There are hidden costs related to Traditional Registration, as well. In a 2012 study commissioned by Janrain, nine out of ten survey respondents admitted to having left a website when they could not remember the username or password they had registered there, costing companies customers and revenue.
Password Authentication should only be used as part of a Multi-Factor Authentication