Quiz Entry - updated: 2026.07.14
What are the main weaknesses of plain "username + password" authentication, and what mitigations help?
It's a shared secret — both you and the server know it — so it can be phished, guessed, or stolen in a server breach; mitigations include hashing, rate-limiting, and not reusing it.
How it works: the app stores a username→password table and checks for a match. The problems:
| Weakness | Mitigation |
|---|---|
| Server stores passwords → breach leaks them | Store hashed (ideally salted) passwords, never plaintext |
| Brute-force / guessing | Rate limiting on the login interface |
| Phishing — user tricked into typing it on a fake site | user awareness; doesn't fully solve it |
| Password reuse across sites | password manager, unique passwords |
The fundamental flaw: it's a shared secret. Two copies exist (user + server), so there are two places to steal it from, and the user can be tricked into revealing it. Even hashing the password before sending only narrows, not closes, the gap.
Tip: Every password weakness traces back to "two parties know the same secret." That's the flaw passkeys eliminate.