# Password-based auth

## Password security

A password is more secure if it is harder to guess or brute-force. In theory, a password is harder to guess if it is longer. It is also harder to guess if it uses a larger set of characters (for example, digits, lowercase and uppercase letters, and symbols).

This table shows the minimum number of guesses that need to be tried to access a user's account:

| Required characters                          | Length | Guesses          |
| -------------------------------------------- | ------ | ---------------- |
| Digits only                                  | 8      | ~ 2<sup>27</sup> |
| Digits and letters                           | 8      | ~ 2<sup>41</sup> |
| Digits, lower and uppercase letters          | 8      | ~ 2<sup>48</sup> |
| Digits, lower and uppercase letters, symbols | 8      | ~ 2<sup>52</sup> |

In reality though, passwords are not always generated at random. They often contain variations of names, words, dates, and common phrases. Malicious actors can use these properties to guess a password in fewer attempts.

There are hundreds of millions (and growing) known passwords out there. Malicious actors can use these lists of leaked passwords to automate login attempts (known as credential stuffing) and steal or access sensitive user data.

### Password strength and leaked password protection

To help protect your users, Openfort Auth sets strength constraints on the passwords used on your project.

* Set a large minimum password length. Anything less than 8 characters is not recommended.
* Set the required characters that must appear at least once in a user's password. Use the strongest option of requiring digits, lowercase and uppercase letters, and symbols.
* Prevent the use of leaked passwords. Openfort Auth uses the open-source [HaveIBeenPwned.org Pwned Passwords API](https://haveibeenpwned.com/Passwords) to reject passwords that have been leaked and are known by malicious actors.

:::note
Email authentication with global wallets
You only need to enable this toggle if you're developing a global wallet.

<div align="center">
  <img width="70%" height="70%" src="https://www.openfort.io/images/blog/email_ecosystem_0f56b82ca0.png" alt="Email authentication toggle in ecosystem settings" />
</div>

:::
