🔐 Password Security Glossary 51 terms

Advanced Encryption Standard: Symmetric block cipher using 256-bit keys. The U.S. government standard (NIST FIPS 197) for encrypting classified information. AES-256 is used by password managers to encrypt your vault. With 2²⁵⁶ possible keys, a brute-force attack would take longer than the age of the universe even with all current computing power combined.

Winner of the 2015 Password Hashing Competition (PHC), designed specifically to be memory-hard — requiring significant RAM to compute — making it resistant to GPU/ASIC brute-force attacks. Argon2 has three variants: Argon2d (GPU-resistant, data-dependent memory access), Argon2i (side-channel-resistant, data-independent), and Argon2id (hybrid, recommended default). The OWASP organization recommends Argon2id for new password storage implementations.

The process of verifying that someone is who they claim to be. Authentication can be based on something you know (password), something you have (hardware key), or something you are (biometrics). Modern security best practice recommends combining at least two of these factors (multi-factor authentication) to significantly reduce account takeover risk.

The process of determining what an authenticated user is allowed to do. Often confused with authentication: authentication is "who are you?" while authorization is "what are you allowed to do?" Role-based access control (RBAC) and attribute-based access control (ABAC) are common authorization frameworks.

A password hashing function designed by Niels Provos and David Mazières in 1999, still widely used today. Bcrypt includes an adaptive cost factor (work factor) that can be increased as hardware becomes faster, keeping brute-force attacks computationally expensive. It automatically incorporates a random 128-bit salt. While bcrypt remains secure, Argon2id is now preferred for new implementations because bcrypt's 72-character password limit and lack of memory hardness are modern limitations.

Authentication using unique physical characteristics: fingerprints, facial geometry, iris patterns, voice prints, or behavioral patterns like typing rhythm. Biometrics are convenient but cannot be "changed" if compromised. Best practice is to use biometrics as one factor in MFA (something you are) rather than as the sole authentication method. Modern implementations store biometric templates on-device in secure enclaves (Apple's Secure Enclave, Android's Trusted Execution Environment) rather than in cloud databases.

A method of cracking passwords or encryption keys by systematically trying every possible combination until the correct one is found. The time required scales exponentially with password length and character set. An 8-character password using only lowercase letters has 26⁸ ≈ 200 billion combinations; adding uppercase, numbers, and symbols increases that to 94⁸ ≈ 6 quadrillion. Modern GPUs can test billions of hashes per second, making short passwords extremely vulnerable.

An algorithm for performing encryption or decryption. Symmetric ciphers (AES, ChaCha20) use the same key for both operations. Asymmetric ciphers (RSA, ECC) use a public key for encryption and a private key for decryption. Block ciphers (AES) operate on fixed-size data blocks; stream ciphers (ChaCha20) encrypt one bit or byte at a time. The security of a cipher depends on both the algorithm strength and the key length.

A cyberattack that uses large collections of stolen username/password pairs from previous data breaches to gain unauthorized access to other accounts. Attackers rely on password reuse — the same credentials work across multiple services. Automated tools test millions of credential pairs per hour. With billions of compromised credentials available on the dark web, credential stuffing causes millions of account takeovers annually. Unique passwords per site and 2FA are the primary defenses.

Cryptographically Secure Pseudo-Random Number Generator: A random number generator that meets strict cryptographic requirements: outputs must be statistically indistinguishable from true randomness, and outputs must be computationally infeasible to predict even if prior outputs are known. Operating systems provide CSPRNGs via /dev/urandom (Linux), CryptGenRandom (Windows), or SecRandomCopyBytes (iOS/macOS). Password managers use CSPRNGs to generate random passwords.

The portion of the internet not indexed by standard search engines, accessible only through anonymizing networks like Tor. The dark web hosts illicit marketplaces where stolen credentials, personal data, and financial information are bought and sold. After major data breaches, compromised credentials typically appear on dark web forums within hours. Services like Have I Been Pwned (HIBP) aggregate and index these leaked databases to allow individuals to check if their accounts have been compromised.

A security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized parties. Password-related breaches expose hashed or (in poorly secured systems) plaintext credentials. The scale of modern breaches is staggering: the 2024 National Public Data breach exposed approximately 2.9 billion records; Yahoo's 2013–2016 breach exposed 3 billion accounts. Post-breach, companies must notify affected users, investigate the compromise, and strengthen security controls.

A type of brute-force attack that uses a predefined list of likely passwords — a "dictionary" — rather than trying every possible character combination. Dictionaries include common passwords (123456, password), words from natural languages, common name+number patterns, and variations using letter substitutions (p@ssw0rd). Dictionary attacks are far more efficient than pure brute force against human-chosen passwords because people predictably choose common words and patterns.

The process of transforming readable data (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and key, so that only authorized parties with the correct key can decrypt and read the data. Encryption protects data in transit (TLS/HTTPS) and at rest (disk encryption, password manager vaults). Unlike hashing, encryption is reversible — the same data can be decrypted with the key. Passwords should never be encrypted (because the key could be compromised); they should be hashed instead.

A measurement of the unpredictability or randomness of a password, expressed in bits. Higher entropy means a password is harder to guess. Entropy is calculated as: E = log₂(R^L), where R is the size of the character set and L is the password length. An 8-character lowercase password has about 37.6 bits of entropy; a 16-character random password using all printable ASCII characters has about 105 bits. NIST recommends at least 80 bits of entropy for high-security applications. Passphrases achieve high entropy through length rather than complexity.

An authentication standard developed by the FIDO Alliance and W3C that enables strong, hardware-bound authentication without passwords. FIDO2 consists of two components: WebAuthn (a browser API) and CTAP2 (the protocol for communicating with hardware authenticators). FIDO2 credentials are phishing-resistant because they are cryptographically bound to the specific origin (domain) that registered them, making them useless on fake websites.

A mathematical function that transforms input data of arbitrary size into a fixed-size output (digest) deterministically and in one direction. Good cryptographic hash functions are collision-resistant (infeasible to find two inputs producing the same hash), preimage-resistant (infeasible to reverse the hash to find the input), and avalanche-sensitive (a tiny input change produces a completely different hash). SHA-256 produces 256-bit hashes; SHA-3 and BLAKE3 are modern alternatives. For password storage, specialized password hashing functions (bcrypt, Argon2) are preferred over general-purpose hash functions.

Have I Been Pwned: A free service created by security researcher Troy Hunt in 2013 that allows users to check whether their email addresses or passwords appear in known data breaches. HIBP aggregates over 13 billion compromised passwords. The service uses k-anonymity for password lookups: only the first 5 characters of a SHA-1 hash are sent to the API, and the complete hash is never transmitted. HIBP is used by browser vendors (Firefox Monitor, Google Password Checkup), password managers, and enterprise security tools.

The fraudulent acquisition and use of another person's private identifying information, usually for financial gain. In the digital context, identity thieves use stolen credentials, social security numbers, and personal data to open accounts, make purchases, or take over existing accounts. Data breaches are the primary source of identity theft material. Credit monitoring services, identity theft insurance, and services that alert you to new accounts opened in your name help detect and respond to identity theft.

JSON Web Token: An open standard (RFC 7519) for transmitting information between parties as a compact, self-contained JSON object that can be optionally signed and/or encrypted. JWTs are widely used for authentication (proving identity) and authorization (verifying permissions) in web applications and APIs. A signed JWT cannot be altered without invalidating the signature. Security considerations include using strong signing algorithms (RS256, ES256 instead of HS256 with weak secrets), proper expiration, and secure storage (httpOnly cookies rather than localStorage to prevent XSS theft).

A privacy protection concept where a query can only be answered if the response applies to at least k individuals, preventing individual identification. In password breach checking, k-anonymity means that only the first 5 characters of a SHA-1 password hash are sent to the breach database API. The API returns all hash suffixes that match those 5 characters (typically hundreds of results), and the client locally checks whether its complete hash appears in the list. This design, used by HIBP, means the server never learns which specific password is being checked.

Malware that records keystrokes on an infected device, capturing everything typed including passwords, credit card numbers, and personal messages. Keyloggers can be software-based (installed as malware) or hardware-based (physical devices inserted between keyboard and computer). They defeat password strength since even a 32-character random password is captured as typed. Defenses include keeping devices clean of malware, using 2FA (which renders captured passwords less useful), and using password managers (which autofill without exposing keystrokes to the typing interface).

See Keylogger. Also refers to the broader study of typing patterns (keystroke dynamics) as a behavioral biometric: measuring typing rhythm, pressure, and intervals to verify user identity. Keystroke dynamics can detect unauthorized users even if they know the correct password, because each person's typing pattern is uniquely measurable.

The single password used to unlock and decrypt a password manager vault. A master password should be extremely strong (16+ characters, ideally a passphrase) and memorized rather than written digitally. The master password is used to derive the encryption key for your vault using a key derivation function (KDF) like PBKDF2 or Argon2. It is never sent to the password manager's servers in zero-knowledge architectures; only the encrypted vault is stored remotely.

Multi-Factor Authentication: Authentication that requires two or more independent verification factors from different categories: knowledge (password/PIN), possession (hardware key/phone), and inherence (biometrics). Also called two-factor authentication (2FA) when exactly two factors are used. MFA dramatically reduces account takeover risk: Microsoft's 2019 research found that MFA blocks 99.9% of automated attacks. The most secure MFA options are hardware security keys (FIDO2/WebAuthn); authenticator apps (TOTP) are also strong; SMS-based 2FA is weakest but still far better than no MFA.

National Institute of Standards and Technology: U.S. federal agency that publishes widely adopted security standards. NIST Special Publication 800-63B (Digital Identity Guidelines, revised 2017 and 2024) transformed password security thinking: eliminating mandatory periodic password changes, recommending 8+ character minimums with 64+ character maximums, requiring breach-database checking, banning common passwords, allowing passphrases, and eliminating complex composition rules (requiring uppercase + numbers + symbols). NIST's guidelines are adopted by many organizations and inform global security standards.

A FIDO2/WebAuthn credential that replaces passwords entirely, using public-key cryptography stored on a user's device. When you register a passkey, your device generates a unique key pair: the private key stays on your device (protected by biometrics or PIN), and the public key is stored by the service. Login involves a cryptographic challenge-response — your private key signs a server challenge, proving possession without transmitting a secret. Passkeys are phishing-resistant (domain-bound), cannot be phished or stolen through credential stuffing (since each service has a unique key), and support cross-device sync through iCloud Keychain, Google Password Manager, or third-party password managers.

Software that generates, stores, and autofills strong unique passwords for each of your accounts, protected behind a single master password. Password managers eliminate the password reuse problem that enables credential stuffing attacks. They typically offer vault encryption (AES-256), cross-device sync, breach monitoring, and secure sharing. Types: cloud-based (Bitwarden, 1Password, Dashlane), local/offline (KeePassXC), and browser-built-in (Chrome, Safari, Firefox). Zero-knowledge managers cannot access your passwords even if subpoenaed.

An attack that tries a small number of commonly used passwords (Password1!, Welcome2024, etc.) against a large number of accounts, bypassing account lockout controls that trigger after multiple failed attempts on a single account. Unlike brute force (many passwords on one account), password spraying uses one password against many accounts. Particularly effective against organizations with predictable default or temporary passwords. Defenses include banning common passwords, enforcing unique passwords, and monitoring for distributed login failures.

Password-Based Key Derivation Function 2: A key derivation function that applies a pseudorandom function (such as HMAC-SHA256) to the input password along with a salt value, repeating the process a specified number of iterations to produce a derived key. The iteration count makes brute-force attacks more expensive. PBKDF2 is recommended by NIST (SP 800-132) and is used in many systems including WPA2 WiFi, iOS device encryption, and password managers. Modern recommendations suggest 600,000+ iterations with SHA-256. While still secure, Argon2id is preferred for new implementations due to PBKDF2's lack of memory hardness.

A secret value added to a password before hashing, in addition to the per-user salt. Unlike a salt (which is stored in the database alongside the hash), a pepper is kept secret — typically in application configuration, a hardware security module (HSM), or environment variable. A pepper adds an extra layer of protection: even if an attacker steals the entire database (hashes + salts), they cannot crack the passwords without also knowing the pepper. The pepper concept was formalized by NIST SP 800-63B.

A social engineering attack that uses fraudulent communications — emails, text messages (smishing), or phone calls (vishing) — impersonating legitimate entities to trick recipients into revealing credentials or sensitive information. Credential phishing creates convincing fake login pages that capture username/password pairs in real time. More sophisticated attacks (adversary-in-the-middle phishing) can bypass SMS-based 2FA by proxying the authentication process. FIDO2/WebAuthn hardware keys are phishing-resistant because they are cryptographically bound to the correct domain.

Public Key Infrastructure: The framework of policies, procedures, hardware, software, and certificates that manage digital certificates and public key encryption. PKI enables HTTPS (TLS/SSL) through certificate authorities (CAs) that vouch for the binding between a domain name and a public key. In password context, PKI is used in FIDO2/WebAuthn authentication: each passkey involves a public/private key pair where the public key is registered with the service and the private key never leaves the user's device.

Unencrypted, human-readable data — the original form of data before encryption is applied, or after it has been decrypted. In the context of passwords, "plaintext" storage means passwords are stored without hashing or encryption, readable by anyone with database access. Storing passwords in plaintext is a critical security vulnerability. A red flag: if you click "Forgot Password" and receive your actual password (rather than a reset link), that company stores passwords in plaintext. GDPR and other regulations effectively require proper password hashing.

A precomputed lookup table used to reverse cryptographic hash functions — mapping hash values back to the original plaintext passwords. Rainbow tables trade computational time for storage space: the table is computed once and then used to crack hashes instantly. A rainbow table for common passwords using MD5 or SHA-1 can crack most weak passwords in seconds. Salt-based hashing defeats rainbow tables entirely: since each user's password is salted with a unique random value before hashing, an attacker would need a separate rainbow table for each salt value, which is computationally infeasible.

Adding a unique, randomly generated value (the "salt") to each user's password before applying the hash function. Salts prevent rainbow table attacks (since each hash is unique even for identical passwords) and make dictionary attacks more expensive (each guess must be hashed with each user's unique salt). Salts are stored alongside the hash in the database — their security value comes from uniqueness, not secrecy (compare with peppers). Modern password hashing algorithms like bcrypt and Argon2 handle salt generation automatically.

Members of the SHA (Secure Hash Algorithm) family. SHA-1 produces 160-bit digests and is now considered broken for security purposes — collision attacks are practical. SHA-256 (part of SHA-2) produces 256-bit digests and remains cryptographically secure. Neither SHA-1 nor SHA-256 is suitable for password hashing (they are too fast, making brute-force attacks feasible); use bcrypt, Argon2, or scrypt instead. SHA-1 is still used in HIBP's k-anonymity implementation for password breach checking (not for security but for compatibility with existing breach databases).

An attack where an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card controlled by the attacker, allowing them to intercept SMS messages and calls. This defeats SMS-based two-factor authentication: once the attacker has the victim's phone number, they can receive SMS one-time codes and reset passwords. High-profile SIM swap victims have included Twitter CEO Jack Dorsey and various cryptocurrency investors. Protection: use authenticator apps (TOTP) or hardware security keys instead of SMS 2FA, and add a carrier PIN to prevent unauthorized SIM changes.

An authentication scheme that allows users to log in once with a single set of credentials to access multiple related applications. SSO reduces password fatigue (users need fewer passwords) and centralizes authentication, making it easier to enforce strong password policies. Enterprise SSO typically uses SAML or OpenID Connect (OIDC) protocols. "Login with Google" / "Login with Apple" are consumer SSO implementations. The risk: if the central SSO account is compromised, all linked services are affected; strong MFA on the SSO account is critical.

Psychological manipulation of people into performing actions or divulging confidential information. In credential security, the most common forms are phishing (fraudulent emails), pretexting (fabricated scenarios to gain trust), vishing (voice/phone phishing), and baiting (physical USB drops). Social engineering exploits human psychology rather than technical vulnerabilities. Security awareness training, verification procedures, and a culture of skepticism are the primary defenses. Technical controls (FIDO2, email authentication) can reduce the effectiveness of some social engineering attacks.

A web security vulnerability where an attacker inserts malicious SQL code into a query, potentially exposing, modifying, or deleting database records. In the context of password security, SQL injection is a primary mechanism for stealing password databases. A vulnerable login form might allow an attacker to bypass authentication entirely, or dump the entire users table including password hashes. Parameterized queries/prepared statements, input validation, and WAFs prevent SQL injection. OWASP consistently ranks SQL injection among the top web application vulnerabilities.

Encryption where the same key is used for both encryption and decryption. AES-256 is the dominant symmetric algorithm. Symmetric encryption is extremely fast and suitable for encrypting large amounts of data (disk encryption, password vault contents). The key distribution problem — how to securely share the key with authorized recipients — is solved using asymmetric cryptography (e.g., RSA or ECDH key exchange), combining the efficiency of symmetric encryption with the key management benefits of asymmetric cryptography.

Time-Based One-Time Password: A type of two-factor authentication that generates a temporary 6–8 digit code based on the current time and a shared secret key, typically refreshing every 30 seconds. Defined in RFC 6238. TOTP is implemented by authenticator apps (Google Authenticator, Authy, Aegis). More secure than SMS 2FA (no SIM swap vulnerability) but still phishable through real-time phishing proxies. Hardware security keys (FIDO2) are more phishing-resistant. TOTP codes should never be shared with anyone who calls or emails asking for them.

See MFA. Specifically, authentication using exactly two factors from the categories: knowledge (password), possession (device/key), and inherence (biometrics). Common implementations: password + authenticator app code (TOTP), password + hardware key (FIDO2), or password + SMS code. 2FA is one of the single most impactful security steps individuals can take — Microsoft's research found that 99.9% of automated account takeover attacks are blocked by 2FA.

A vulnerability where a web application reveals whether a username exists in the system through different error messages, response times, or other observable differences. For example, "That username doesn't exist" vs "Wrong password" enables an attacker to confirm which usernames are valid targets. Secure implementations return identical responses regardless of whether the username exists: "Invalid username or password." Username enumeration assists credential stuffing and targeted brute-force attacks.

In password management, the encrypted container that stores all your passwords, notes, and sensitive data, protected by your master password. Vault encryption typically uses AES-256-GCM. Zero-knowledge vault architectures ensure the encryption key is derived from the master password on-device, so the provider never has access to the vault contents. Well-known vault implementations: Bitwarden (open source), 1Password (travel mode for border crossings), KeePassXC (local file, maximum control).

Web Authentication API: A W3C standard and browser API that enables passwordless authentication using asymmetric cryptography. WebAuthn allows websites to register and authenticate users using authenticators (hardware security keys like YubiKey, or built-in platform authenticators like Face ID/Touch ID/Windows Hello). WebAuthn credentials are phishing-resistant because they are cryptographically bound to the specific origin (domain), making them useless on phishing sites. WebAuthn is one of two components of FIDO2 (alongside CTAP2).

A cryptographic method by which one party (the prover) can prove to another party (the verifier) that they know a specific value without conveying any information about the value itself. In password managers, "zero-knowledge architecture" means the service provider cannot access your passwords — only you hold the encryption key derived from your master password. Even if the company is compelled by law enforcement or suffers a breach, your passwords remain protected. Examples: Bitwarden, 1Password, ProtonPass.

A security model based on the principle "never trust, always verify" — assuming that threats can exist both outside and inside the network perimeter, so every access request must be authenticated, authorized, and continuously validated regardless of origin. In password security, zero trust principles mean: verify identity strongly (MFA required), grant minimum necessary access (least privilege), monitor all access continuously, and assume breach (design systems as if they're already compromised). Zero Trust is defined in NIST SP 800-207 and has been adopted as U.S. federal government policy.

Advanced Encryption Standard avec une clé de 256 bits — l'algorithme de chiffrement symétrique standard utilisé par les gestionnaires de mots de passe pour chiffrer vos données. À ce jour, impossible à craquer par force brute avec les capacités informatiques actuelles ou prévisibles.

Tentative systématique de chaque combinaison possible de mots de passe jusqu'à trouver la bonne. Des mots de passe plus longs et plus complexes rendent les attaques par force brute pratiquement impossibles.

Processus de vérification de l'identité d'un utilisateur tentant d'accéder à un système. Les méthodes comprennent : mots de passe, biométrie, tokens de sécurité, et passkeys.

Authentification utilisant des caractéristiques physiques ou comportementales uniques : empreinte digitale, reconnaissance faciale, rétine, voix. Utilisée avec les passkeys pour une authentification locale sécurisée sans transmettre de données biométriques au serveur.

Incidents de sécurité où des données confidentielles sont consultées sans autorisation. Les violations de mots de passe exposent souvent des centaines de millions d'identifiants qui peuvent être utilisés dans des attaques de credential stuffing.

Attaque automatisée testant des paires nom d'utilisateur/mot de passe volées de violations de données sur d'autres services. Exploite la réutilisation des mots de passe — si vous utilisez le même mot de passe partout, une seule violation compromise tous vos comptes.

Méthode de communication où seuls les utilisateurs communicants peuvent lire les messages. Dans les gestionnaires de mots de passe, E2EE signifie que vos mots de passe sont chiffrés sur votre appareil avant envoi aux serveurs du fournisseur.

Type d'attaque par force brute utilisant une liste de mots courants, de phrases et de variantes connues. Efficace contre les mots de passe faibles. Les mots de passe générés aléatoirement y sont imperméables.

Mesure de l'imprévisibilité ou de l'aléatoire d'un mot de passe — plus l'entropie est élevée, plus le mot de passe est fort. Exprimée en bits. Un mot de passe de 256 bits d'entropie est pratiquement incassable.

Standards techniques développés par la FIDO Alliance permettant l'authentification sans mot de passe. Base technologique des passkeys. Utilise la cryptographie à clé publique pour une sécurité forte sans partager de secrets avec le serveur.

Attaque sociale tentant de voler des identifiants en imitant des sites légitimes. Les passkeys et les clés de sécurité matérielles résistent par conception au hameçonnage car ils vérifient cryptographiquement le domaine du site.

Transformation d'un mot de passe en une chaîne de caractères de longueur fixe via une fonction à sens unique. Les sites web stockent les hachages des mots de passe plutôt que les mots de passe en clair. La qualité du hachage (bcrypt, Argon2 vs. MD5, SHA-1) détermine la résistance aux craquages.

Service créé par Troy Hunt indexant les violations de données pour permettre aux utilisateurs de vérifier si leur e-mail ou mot de passe a été compromis. Notre outil utilise l'API HIBP avec le modèle k-anonymat pour des vérifications sécurisées.

Technique de confidentialité permettant de vérifier si un mot de passe apparaît dans des violations de données sans révéler le mot de passe complet. Seul un préfixe de 5 caractères du hash SHA-1 est envoyé — le serveur renvoie tous les hashs commençant par ce préfixe pour vérification locale.

Logiciel malveillant enregistrant les frappes pour capturer les mots de passe. Les gestionnaires de mots de passe avec auto-remplissage du navigateur contournent les keyloggers car les mots de passe ne sont pas tapés manuellement.

Nécessité de plusieurs formes de vérification pour accéder à un compte : quelque chose que vous connaissez (mot de passe), quelque chose que vous possédez (téléphone, clé matérielle), quelque chose que vous êtes (biométrie). Le MFA peut bloquer jusqu'à 99,9 % des attaques automatisées.

Le seul mot de passe que vous devez mémoriser lors de l'utilisation d'un gestionnaire de mots de passe. Il chiffre et déchiffre votre coffre de mots de passe. Doit être long, unique et mémorisable (phrase secrète recommandée).

Identifiant numérique cryptographique remplaçant les mots de passe traditionnels. Utilise la cryptographie à clé publique — la clé privée reste sur l'appareil, protégée par biométrie ou PIN. Résistant au hameçonnage par conception car lié cryptographiquement au domaine spécifique.

Mot de passe composé de plusieurs mots aléatoires (ex. : « soleil-papier-cheval-montagne »). Plus longue et plus mémorisable que les mots de passe traditionnels, avec une entropie élevée. Recommandée par le NIST pour les mots de passe maîtres.

Application sécurisée générant, stockant et remplissant des mots de passe forts et uniques pour chaque compte. Protège par chiffrement AES-256 et nécessite généralement uniquement un mot de passe maître. Options : Bitwarden (open source), 1Password, Dashlane, KeePass.

Table précalculée de hachages utilisée pour craquer des mots de passe hachés. Efficace contre les implémentations de hachage sans salage (comme SHA-1 sans sel de LinkedIn). Inefficace contre les algorithmes modernes comme bcrypt, scrypt, ou Argon2 qui utilisent le salage.

Pratique dangereuse consistant à utiliser le même mot de passe sur plusieurs sites. Une seule violation suffit à compromettre tous les comptes partageant ce mot de passe via des attaques de credential stuffing.

Fraude où un criminel convainc un opérateur téléphonique de transférer votre numéro sur sa SIM, interceptant vos SMS 2FA. Solution : utiliser une application d'authentification (Authy) ou une clé matérielle plutôt que le 2FA par SMS.

Mécanisme permettant aux utilisateurs d'accéder à plusieurs applications avec un ensemble d'identifiants. « Se connecter avec Google/Apple/Facebook » est du SSO. Pratique mais signifie qu'une violation du fournisseur SSO affecte tous les services liés.

Code valide une seule fois pour une durée limitée (généralement 30 secondes), généré par une application d'authentification. Standard TOTP utilisé par Google Authenticator, Authy et intégré dans la plupart des services 2FA.

Conception où le fournisseur de service ne peut pas accéder à vos données même s'il le souhaitait — la clé de chiffrement est dérivée uniquement de votre mot de passe maître et reste sur vos appareils. Bitwarden, 1Password et ProtonPass utilisent tous l'architecture zéro connaissance.

Modèle de sécurité basé sur « ne jamais faire confiance, toujours vérifier ». Dans la sécurité des mots de passe : vérification forte de l'identité (MFA requis), accès minimum nécessaire, surveillance continue et conception pour la résilience aux violations.