Password Management

Proper password management is one of the fundamental pillars of modern cybersecurity, yet it remains one of the weakest links in most organizations due to the natural human tendency to create weak passwords, reuse them across multiple services, and store them insecurely. Studies show that more than 80% of data breaches involve compromised credentials, whether through credential stuffing attacks using passwords leaked from other services, phishing that captures credentials directly from users, or brute force against weak and predictable passwords. The complexity of the problem increases exponentially in corporate environments where users must manage dozens of different credentials for internal systems, SaaS applications, VPNs, servers, and administrative accounts, inevitably leading to insecure practices such as writing passwords on sticky notes, unprotected spreadsheets, or reusing the same password across all systems. This article presents a comprehensive approach to corporate and personal password management, covering complexity and rotation policies based on evidence, implementation and selection of enterprise password managers, migration strategies to multi-factor authentication (MFA), prevention of automated attacks through rate limiting and CAPTCHA, monitoring of leaked credentials through threat intelligence services, and ongoing user education on password hygiene, building a robust defense against one of the attack vectors most exploited by adversaries.

Challenges in Password Management

  • Weak passwords: 123456, password, name+year still extremely common
  • Reuse: The same password across multiple services amplifies the impact of breaches
  • Insecure storage: Sticky notes, spreadsheets, emails, browsers without a master password
  • Password fatigue: Users must manage 50-100+ credentials
  • Insecure sharing: Sharing passwords via Slack, email, SMS

Effective Password Policies

NIST Guidelines (Updated)

NIST SP 800-63B Recommendations:

  • [OK] Minimum 8 characters (12+ recommended)
  • [OK] Allow up to 64+ characters
  • [OK] Accept all characters including spaces
  • [OK] No forced complexity requirements (uppercase, symbols)
  • [OK] No mandatory periodic rotation (only if compromised)
  • [OK] Check against a list of leaked passwords
  • [OK] Allow paste (makes password managers easier to use)
  • [OK] Offer a visual strength meter
  • [X] Do not use hints or security questions
  • [X] Do not force periodic changes without reason

Entropy vs Complexity

      # Complex but weak password (low entropy):
      P@ssw0rd!   # ~28 bits entropy
      # Predictable, common pattern
      # Simple but strong passphrase (high entropy):
      correct horse battery staple   # ~44 bits entropy
      # Longer, less predictable
      # Better: Passphrase + symbols
      correct-horse-battery-staple-2024   # ~52 bits entropy
      # Easy to remember, hard to crack
      

Password Managers

Password managers are the most effective solution for credential management, enabling unique and strong passwords for each service without memorization.

Enterprise Solutions

  • 1Password Business: Intuitive interface, shared vaults, Travel Mode
  • LastPass Enterprise: SSO integration, centralized policies
  • Bitwarden: Open-source, self-hosted option, compliance
  • Keeper: Zero-knowledge, compliance reporting, privileged access
  • Dashlane Business: Included VPN, dark web monitoring

Critical Features

  • Zero-knowledge architecture: The vendor cannot access passwords
  • End-to-end encryption: AES-256 or higher
  • SSO integration: SAML, OAuth for corporate login
  • Shared vaults: Secure sharing across teams
  • Audit logs: Tracking of access and changes
  • Emergency access: Delegation for disaster recovery
  • Compliance: SOC 2, ISO 27001, GDPR/LGPD

Protection Against Attacks

Brute Force Prevention

      # Rate limiting per IP
      - Max 5 attempts per minute
      - Progressive lockout: 1min, 5min, 15min, 1hour
      - CAPTCHA after 3 failures
      # Account lockout
      - Lock account after 10 failed attempts
      - Requires password reset or admin unlock
      - Notify user via email/SMS
      # IP blacklisting
      - Block IPs with an attack pattern
      - Integrate with threat intelligence feeds
      - Whitelist for known corporate IPs
      

Credential Stuffing Defense

  • Mandatory MFA: Invalidates leaked credentials without a 2nd factor
  • Breach monitoring: HaveIBeenPwned API, SpyCloud
  • Anomaly detection: Login from unusual geolocation, new device
  • Bot detection: reCAPTCHA, behavioral analysis
  • Session management: Invalidate old sessions on login

MFA Implementation

      # MFA methods by strength (from most to least secure)
      1. Hardware tokens (FIDO2/WebAuthn - YubiKey)
      - Phishing-resistant
      - No SMS/email interception
      2. Authenticator apps (TOTP)
      - Google Authenticator, Microsoft Authenticator
      - Offline, more secure than SMS
      3. Push notifications
      - Duo Push, Microsoft Authenticator Push
      - Convenient but susceptible to MFA fatigue
      4. SMS (avoid if possible)
      - SIM swapping attacks
      - Interception possible
      - Better than nothing, but not ideal
      

Monitoring Leaked Credentials

      # HaveIBeenPwned API Integration
      import requests
      def check_password_breach(password):
      # SHA-1 hash
      sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
      prefix = sha1[:5]
      suffix = sha1[5:]
      # k-Anonymity: Only the prefix is sent
      url = f"https://api.pwnedpasswords.com/range/"
      response = requests.get(url)
      # Check if suffix in results
      for line in response.text.split('\n'):
      hash_suffix, count = line.split(':')
      if hash_suffix == suffix:
      return True, int(count)
      return False, 0
      # Force reset if the password is compromised
      is_pwned, count = check_password_breach(user_password)
      if is_pwned:
      force_password_reset(user)
      notify_user(f"Password appears in  breaches")
      

Service Accounts & API Keys

  • Secrets management: HashiCorp Vault, AWS Secrets Manager
  • Automatic rotation: Scripted rotation of API keys/passwords
  • Least privilege: Minimum necessary permissions
  • Audit trail: Log of access to secrets
  • Expiration: Keys with TTL, revocation on offboarding

User Education

  • Mandatory training during onboarding
  • Periodic phishing simulations
  • Password manager adoption campaign
  • Clear communication about policies
  • Rewards for good practices (gamification)

Final Recommendations

Implement a mandatory corporate password manager (1Password, Bitwarden) with centralized policies. Enable universal MFA - TOTP apps for users, hardware tokens for admins. Monitor credentials against HaveIBeenPwned and force resets proactively. Adopt NIST policies: long passwords without forced rotation, verification against breach databases. Phase out SMS MFA gradually, migrate to TOTP/FIDO2.