Add a guide on password-based authentication

[wbamberg]

Adds a guide on password-based authentication. Part of https://docs.google.com/document/d/1miZbXVjs070J2HH0rsDxqPnUaqNtPP51Uo8d4FU6PTk/edit?tab=t.0#heading=h.kbs51irq6pyz.

[github-actions]

[markdownlint] _{reported by reviewdog 🐶}
MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]

[github-actions]

Preview URLs

• /en-US/docs/Web/Security/Authentication/Passwords

Flaws (2)

URL: /en-US/docs/Web/Security/Authentication/Passwords
Title: Passwords
Flaw count: 2

• broken_links:
  • Can't resolve /en-US/docs/Web/Security/Authentication/OTP
  • Can't resolve /en-US/docs/Web/Security/Authentication/Passkeys

External URLs (18)

URL: /en-US/docs/Web/Security/Authentication/Passwords
Title: Passwords

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html (1 time) (Note! This may be a new URL 👀)
• https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html (1 time) (Note! This may be a new URL 👀)
• https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html (1 time) (Note! This may be a new URL 👀)
• https://docs.djangoproject.com/en/5.0/topics/auth/passwords/ (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/Argon2 (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/Bcrypt (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/PBKDF2 (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/Rainbow_table (1 time) (Note! This may be a new URL 👀)
• https://en.wikipedia.org/wiki/Scrypt (1 time) (Note! This may be a new URL 👀)
• https://github.com/zxcvbn-ts/zxcvbn (1 time) (Note! This may be a new URL 👀)
• https://haveibeenpwned.com (1 time) (Note! This may be a new URL 👀)
• https://haveibeenpwned.com/API/v3 (1 time) (Note! This may be a new URL 👀)
• https://hidde.blog/making-password-managers-play-ball-with-your-login-form/ (1 time) (Note! This may be a new URL 👀)
• https://pages.nist.gov/800-63-3/sp800-63b.html (1 time) (Note! This may be a new URL 👀)
• https://web.dev/articles/sign-in-form-best-practices (1 time) (Note! This may be a new URL 👀)
• https://www.chromium.org/developers/design-documents/create-amazing-password-forms/ (1 time) (Note! This may be a new URL 👀)
• https://www.troyhunt.com/everything-you-ever-wanted-to-know/ (1 time) (Note! This may be a new URL 👀)
• https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ (1 time) (Note! This may be a new URL 👀)

(comment last updated: 2025-10-20 21:32:48)

[chrisdavidmills]

Very nice article @wbamberg; nicely written, and I found it interesting.

I've got a bunch of nitpicks for you to sift through, but nothing major.

[chrisdavidmills]

Suggested change

	1. The user supplies a new username and password, for example by entering it in a {{htmlelement("form")}} element in the website.
	1. The user supplies a new username and password, for example, by entering it in a {{htmlelement("form")}} element in a website.

[chrisdavidmills]

Just a heads-up that these images aren't displaying in the live preview. If they are OK in your local environment, I'm sure all is good.

[chrisdavidmills]

Would it be worth adding a fourth point along the lines of "If the passwords match, the user is signed in"?

[chrisdavidmills]

Consistency: in the previous troyhunt.com link, you name the author in the link text.