Home

passbased

Passbased is a term used to describe authentication methods that rely primarily on passwords as the user’s secret. In security discussions, passbased authentication involves a user providing a password, which is then verified by calculating a hash of the password with a stored salt and comparing it to a stored hash. Robust implementations use password hashing algorithms such as PBKDF2, bcrypt, scrypt, or Argon2 to make brute-force attacks more difficult. The use of salts prevents the reuse of hash values across users and protects against precomputed attacks.

In typical passbased systems, the server stores salted password hashes rather than plain-text passwords. During login,

Limitations of passbased authentication include vulnerability to phishing, credential stuffing, and password reuse across sites. Human

See also: password-based authentication, password hashing, multi-factor authentication, password policies, WebAuthn.

the
server
retrieves
the
user’s
salt,
hashes
the
provided
password
with
that
salt,
and
checks
for
a
match.
Defenses
commonly
accompany
this
process,
including
rate
limiting,
account
lockout
policies,
and
monitoring
for
suspicious
activity.
To
bolster
security,
many
implementations
pair
passwords
with
additional
factors
or
controls,
a
practice
known
as
multi-factor
authentication
(MFA).
Organizations
also
encourage
strong
password
practices
and
the
use
of
password
managers
to
reduce
reuse
and
weak
credentials.
factors—such
as
choosing
weak
passwords
or
reusing
the
same
password—can
significantly
weaken
security.
As
a
result,
there
has
been
a
shift
in
many
environments
toward
passwordless
approaches
that
rely
on
cryptographic
keys
or
hardware
authenticators,
while
passbased
methods
remain
widely
used
due
to
compatibility
and
simplicity.