Password Security Glossary

By Dr Alex J Martin-Smith

Terms

Brute force attack

An attack method that systematically tries every possible combination of characters until the correct password is found. The time required grows exponentially with password length, which is why longer passwords are harder to crack.

Breach

An incident in which unauthorised individuals gain access to data held by an organisation. In the context of passwords, a breach typically means that a database of user credentials has been stolen. Breached passwords often end up on public lists used by attackers.

Dictionary attack

A type of attack that uses a pre-compiled list of common words, phrases, and known passwords rather than trying every possible combination. Dictionary attacks are faster than brute force and are effective against passwords based on real words or predictable patterns.

Entropy

A measure of how unpredictable a password is, expressed in bits. Higher entropy means more possible combinations and greater resistance to guessing. A truly random 12-character password using uppercase letters, lowercase letters, digits, and symbols has roughly 79 bits of entropy.

Hashing

A one-way mathematical process that converts a password into a fixed-length string of characters. Well-designed services store hashes rather than plain-text passwords. When you log in, the service hashes your input and compares it to the stored hash. Modern hashing algorithms such as bcrypt and Argon2 are deliberately slow to make brute force attacks impractical.

Multi-factor authentication (MFA)

A login method that requires two or more independent forms of verification, typically a password plus a time-based code from an app, a physical security key, or a biometric check. MFA significantly reduces the risk of account compromise. Also referred to as two-factor authentication (2FA) when exactly two factors are used.

Passkey

A passwordless credential based on public-key cryptography. Your device stores a private key and proves its identity to the server without ever sending the key itself. Passkeys are phishing-resistant because they are bound to a specific website and cannot be reused on a fake one.

Passphrase

A credential made up of multiple words, typically four or more, chosen at random. Passphrases are long and therefore high in entropy, yet easier to remember than an equivalent-length string of random characters. They work well as master passwords for vaults and device logins.

Password manager

An application that generates, stores, and auto-fills strong, unique passwords for each of your accounts. The vault is protected by a single master password. Reputable managers use end-to-end encryption so that even the provider cannot read your stored credentials.

Phishing

A social engineering attack in which an attacker impersonates a trusted entity, usually through email or a fake website, to trick you into revealing your credentials. Phishing is one of the most common ways passwords are stolen. Checking URLs carefully and using a password manager that only auto-fills on legitimate sites can help you avoid it.

Frequently asked questions

What is the difference between encryption and hashing?

Encryption is reversible. With the correct key, encrypted data can be turned back into its original form. Hashing is a one-way process. You cannot recover the original password from a hash. Services use hashing for password storage and encryption for data that needs to be read again later.

How do I know if my password was in a breach?

Breach notification services let you check whether your email address or password has appeared in known data leaks. The UK National Cyber Security Centre also provides guidance on checking for compromised credentials.