Password & authentication glossary
32 factual definitions — from AES-256 to zero-knowledge — to understand password security and authentication.
32 terms — 7 categories
Fundamentals
- Password manager
- Application that generates, stores and auto-fills passwords inside an encrypted vault. Only the master password unlocks the vault locally; the encrypted blob is synced to the server (zero-knowledge model).
- Vault
- Encrypted database holding all credentials, secure notes and payment cards. The vault is encrypted client-side before any sync: the server only ever sees ciphertext.
- Open source
- Software whose source code is publicly auditable. For a password manager, open source lets independent researchers verify the cryptographic implementation. Bitwarden and KeePassXC are fully open source.
- Master password
- The single password a user must memorise. It derives the encryption key through a KDF (PBKDF2 or Argon2id) and never leaves the device in raw form.
Encryption
- Zero-knowledge
- Architecture in which the service provider cannot read the user's data. The decryption key is derived locally from the master password: only the user has access to it.
- AES-256
- Symmetric encryption standard with a 256-bit key (Advanced Encryption Standard). Adopted by NIST in 2001, with comfortable margin against Grover's quantum attack. Used by Bitwarden, 1Password and most password managers.
- XChaCha20-Poly1305
- Authenticated encryption algorithm (AEAD) combining XChaCha20 encryption and Poly1305 MAC. Used by NordPass and Signal. Offers superior performance on devices lacking hardware AES acceleration.
- E2EE (end-to-end encryption)
- Encryption where only the two communicating parties can read the data. In a password manager, E2EE ensures the server only ever sees encrypted blobs, never plaintext.
Passwords
- Entropy (bits)
- Measure of a password's unpredictability in bits. Each additional bit doubles the attacker's search space. Formula: L x log2(N), where L = length and N = alphabet size. NIST target: 60 to 80 bits for personal accounts.
KDF
- PBKDF2
- Password-Based Key Derivation Function 2. Applies a pseudo-random function (typically HMAC-SHA256) thousands of times to slow brute-force attacks. Bitwarden uses 600,000 iterations (OWASP 2023 threshold).
- Argon2id
- Winner of the Password Hashing Competition (2015). Combines memory-hardness (Argon2i) and GPU resistance (Argon2d). Recommended default mode for master password key derivation. Used by Bitwarden (option) and NordPass.
- Salt
- Random value added to a password before hashing. Prevents rainbow-table attacks and ensures identical passwords produce different hashes. Generated via a CSPRNG and stored in plaintext alongside the hash.
- Hash (cryptographic)
- One-way transformation of data into a fixed-length digest. A good hash algorithm (SHA-256, Argon2id) is deterministic, non-invertible and collision-resistant. Not to be confused with encryption, which is reversible.
Authentication
- Passkey
- FIDO2 credential consisting of an asymmetric key pair. The private key stays on the device; the server only stores the public key. Eliminates passwords and is natively phishing-resistant. Syncable across devices via a manager (e.g. Bitwarden, NordPass).
- FIDO2 / WebAuthn
- Open standard by the FIDO Alliance and W3C for strong passwordless authentication. WebAuthn is the browser API; CTAP2 is the protocol between the platform and an authenticator (hardware key, biometrics). The technical foundation of passkeys.
- TOTP (Time-based One-Time Password)
- 6-digit code generated every 30 seconds via HMAC-SHA1 and the current time (RFC 6238). Standard used by Google Authenticator, Authy, Bitwarden Authenticator. Resistant to replay attacks but vulnerable to real-time phishing.
- HOTP (HMAC-based One-Time Password)
- TOTP variant based on a counter rather than time (RFC 4226). The code changes on each use, not every 30 seconds. Used in some hardware keys such as YubiKey in OTP mode.
- 2FA / MFA (multi-factor authentication)
- Mechanism combining at least two factors: something you know (password), something you have (phone, hardware key) or something you are (biometrics). 2FA is the minimal two-factor case. Drastically reduces compromise risk from credential stuffing.
- Hardware key
- Physical device (YubiKey, Google Titan) storing a private key in a secure chip and signing FIDO2 challenges. The highest MFA security level: the private key never leaves the hardware, immunising against remote phishing.
- Biometrics
- Authentication factor based on a physical characteristic (fingerprint, facial recognition). In password managers, biometrics unlock vault access without re-entering the master password, but do not replace the encryption key.
- Recovery code
- Single-use code generated when enabling MFA. Allows regaining account access if the second factor is lost. Must be kept offline in a safe location. Is itself an attack vector if compromised.
Attacks
- Phishing
- Social engineering attack impersonating a legitimate site or service to capture credentials or OTPs. Passkeys and FIDO2 hardware keys are natively phishing-resistant because they cryptographically bind authentication to the site origin.
- Credential stuffing
- Automated attack testing username/password pairs from data breaches against other services. Exploits password reuse. A manager generating unique passwords per site eliminates this vector.
- Brute force
- Attack exhaustively testing all possible password combinations. Resistance depends on entropy and the computation cost imposed by the KDF. A 16-character random password (95+ bits) is beyond reach even for modern GPUs.
- Dictionary attack
- Brute-force variant testing common words, variations (p@ssw0rd, Summer2024!) and dictionary combinations first. Tools like Hashcat and John the Ripper embed mutation rules covering millions of patterns per second.
- Data breach
- Security incident where authentication data (hashed or plaintext passwords, emails) is exfiltrated from a database. The 2022 LastPass breach exposed encrypted vaults of millions of users, highlighting the importance of a strong master password.
- Have I Been Pwned (HIBP)
- Troy Hunt's service indexing 900 million+ compromised passwords from known breaches. The k-anonymity API allows checking whether a password appears in the database without sending it in plaintext: only the first 5 characters of the SHA-1 hash are transmitted.
- Keylogger
- Software or hardware recording all keystrokes. Bypassed by password manager auto-fill (passwords are never typed) and passkeys (no text input required).
- Session hijacking
- Attack capturing a valid session cookie to impersonate an authenticated user. Occurs via network sniffing, XSS or cookie theft. Password managers do not directly protect against this post-login vector.
Enterprise
- SSO (Single Sign-On)
- Protocol letting a user authenticate once to access multiple applications. Based on SAML 2.0 or OIDC/OAuth 2.0. Enterprise managers (Bitwarden, 1Password, Keeper) integrate with IdPs (Okta, Azure AD, Google Workspace).
- SCIM
- System for Cross-domain Identity Management (RFC 7643/7644). REST API protocol automating user account provisioning and deprovisioning in a password manager from an IdP. Eliminates orphaned accounts when employees leave.
- Self-hosting
- Hosting a service on your own servers rather than the provider's cloud. Bitwarden and Vaultwarden (open-source fork) are the main self-hostable managers. Gives full data sovereignty at the cost of infrastructure responsibility.