Troy Hunt avatar Troy Hunt

Passwords Evolved: Authentication Guidance for the Modern Era

Screenshot of “Passwords Evolved: Authentication Guidance for the Modern Era”

Great read about security and passwords, summarizing bet practices we've known for a while now, but unfortunately too few enterprises already follow.

There's a lot more to how authentication has evolved than just the rise and rise of credential stuffing though, many other aspects of how we logon to systems has also changed. In some cases, this has led to once-held "truths" about how we create and manage accounts to be totally flipped on their head, yet we still see modern organisations applying the patterns of yesterday to the threats of today. This post sets out to address this gap and talk about how we should be designing this critical part of our systems today.


there are passwords like this:

The ❄️ 🌟 🔦 ⚪ on the mountain 🌙 🌠. 🙅🏻 a👣 to 🐝 👀. A 🏰 of 😢, and it 👀 like☝️️ the 👑. The 💨 is 🐺 like this 🌀 ❄️ ☔️ 🏠. 🙅🏻 keep it in, ☁️ 💡 ☝️️ tried.

If someone really wants to have a password that's an emoji representation of the first verse of "Let It Go" from Frozen, good on 'em!


  1. screenshot of Making password managers play ball with your login form

    Hidde de Vries avatar Hidde de Vries

    Making password managers play ball with your login form

    Password managers are essential to secure internet usage, so making our login fields work with them is extremely important. This will mostly happen automatically if you follow best practices. The autocomplete attribute can make it easier for password managers to recognise your fields. Using hidden attributes can make password managers fail altogether. This can be hacked around, but I do not recommend doing so, unless absolutely necessary.