Password Management -- Tools, Policies & Multi-Factor Authentication
In this tutorial, you'll learn about Password Management. We cover key concepts, practical examples, and best practices.
Password management encompasses the tools, policies, and practices that secure user credentials -- from password managers that generate and store complex passwords to multi-factor authentication that prevents account takeover even when passwords leak.
What You'll Learn
You will learn to evaluate password managers, implement enterprise password policies, deploy MFA with TOTP and WebAuthn, and apply zero-knowledge architecture for credential storage.
Why It Matters
81% of data breaches involve weak or stolen passwords. The average user has 100+ online accounts. Proper password management eliminates credential reuse and protects against phishing and credential stuffing attacks.
Real-World Use
A SaaS company enforces hardware security key (WebAuthn) for all employees, reducing account takeover incidents from 14 per quarter to zero. Customer-facing accounts use TOTP MFA.
Password Manager Architecture
Password managers use zero-knowledge architecture -- the server never sees your master password or decrypted vault.
graph TD
A[Master Password] --> B[Derive Encryption Key via PBKDF2/Argon2]
B --> C[Encrypt Vault with AES-256-GCM]
C --> D[Sync Encrypted Blob to Server]
D --> E[Server Stores Encrypted Blob Only]
E --> F[Client Downloads and Decrypts Locally]
style A fill:#4a90d9,stroke:#fff,color:#fff
style F fill:#4a90d9,stroke:#fff,color:#fff
Enterprise Password Policy
{
"minimumLength": 16,
"requireUppercase": true,
"requireLowercase": true,
"requireNumbers": true,
"requireSpecialChars": true,
"expirationDays": null,
"passwordHistory": 0,
"failedAttemptLockout": 5,
"lockoutDurationMinutes": 15,
"mfaRequired": true,
"mfaMethods": ["totp", "webauthn"]
}
Expected behavior: Passwords must be at least 16 characters with mixed character types. MFA is mandatory. Password expiration is disabled -- modern guidance recommends expiration only on compromise evidence.
MFA Implementation: TOTP
Time-based One-Time Passwords generate 6-digit codes that change every 30 seconds.
import pyotp
import qrcode
# Generate secret
secret = pyotp.random_base32()
print(f"Secret: {secret}")
# Output: JBSWY3DPEHPK3PXP
# Generate provisioning URI for QR code
totp = pyotp.TOTP(secret)
uri = totp.provisioning_uri("user@example.com", issuer_name="DodaTech")
print(f"URI: {uri}")
# Output: otpauth://totp/DodaTech:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=DodaTech
# Verify a code
code = input("Enter TOTP code: ")
is_valid = totp.verify(code)
print(f"Valid: {is_valid}")
Expected behavior: The user scans the QR code with an authenticator app. The app generates rotating codes. The server verifies each code once.
Enterprise Single Sign-On Integration
SSO centralizes authentication and enforces consistent MFA policies across all applications.
# Keycloak realm configuration for SAML federation
realm: dodatech
enabled: true
clients:
- clientId: internal-tools
protocol: saml
samlForcePostBinding: true
samlNameIdFormat: email
samlForceNameIdFormat: true
defaultRoles:
- user
fineGrainSamlAttributeConfig:
name: email
friendlyName: Email
samlAttributeNameFormat: basic
- clientId: analytics-dashboard
protocol: openid-connect
standardFlowEnabled: true
publicClient: false
secret: ****
Expected behavior: Users authenticate once through Keycloak, which enforces MFA through a conditional policy. All connected applications receive SAML assertions or OpenID Connect tokens with verified identity.
WebAuthn / Passkeys
WebAuthn uses public-key cryptography for phishing-resistant authentication.
// WebAuthn registration (browser API)
const credential = await navigator.credentials.create({
publicKey: {
challenge: new Uint8Array(32),
rp: { name: "DodaTech", id: "dodatech.com" },
user: {
id: new TextEncoder().encode("user-123"),
name: "user@example.com",
displayName: "User"
},
pubKeyCredParams: [{ type: "public-key", alg: -7 }]
}
});
console.log("Credential ID:", credential.id);
Expected behavior: The browser prompts the user to create a passkey via platform authenticator (Touch ID, Windows Hello, or security key). The public key is sent to the server. The private key never leaves the device.
Passwordless Authentication
Passwordless authentication replaces passwords entirely with cryptographic keys or biometrics.
# Generate SSH key pair for passwordless server access
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
# Configure server to require key only
grep "PasswordAuthentication" /etc/ssh/sshd_config
# Expected: PasswordAuthentication no
Expected behavior: The user logs into the server with their SSH key and no password prompt. The Ed25519 key offers strong security with smaller key sizes than RSA.
FIDO2 and WebAuthn for Web Applications
FIDO2 uses public key cryptography where the private key never leaves the users device.
// WebAuthn authentication (browser API)
const assertion = await navigator.credentials.get({
publicKey: {
challenge: new Uint8Array(32),
allowCredentials: [{
id: credentialId,
type: "public-key]
}],
userVerification: "required"
}
});
const authData = new Uint8Array(assertion.response.authenticatorData);
console.log("Authenticator data length:", authData.length);
Expected behavior: The browser prompts for biometric or PIN verification. After successful authentication, the assertion is sent to the server for signature verification.
Password Manager Comparison
| Feature | Bitwarden | 1Password | KeePassXC |
|---|---|---|---|
| Open source | Yes | No | Yes |
| Zero-knowledge | Yes | Yes | N/A (local) |
| MFA support | TOTP, WebAuthn | TOTP, WebAuthn | TOTP plugin |
| Self-hostable | Yes (Vaultwarden) | No | Yes |
| Browser extension | Yes | Yes | Yes (plugin) |
| Cost | Free/paid | Paid only | Free |
Password Scoring with zxcvbn
Use realistic password strength estimation rather than simplistic rules.
import zxcvbn
passwords = ["P"@ssw0rd12"3", "correct-horse-battery-staple", "MyD0g$Fido2024!"]
for pw in passwords:
result = zxcvbn.zxcvbn(pw)
print(f"{pw}: score {result['score']}/4, crack_time {result['crack_times_display']['offline_slow_hashing_1e4_per_second']}")
Expected output:
P@ssw0rd123: score 1/4, crack_time 3 seconds
correct-horse-battery-staple: score 4/4, crack_time 3 centuries
MyD0g$Fido2024!: score 2/4, crack_time 2 hours
Common Errors
Reusing passwords across accounts -- A breach at one site exposes all accounts with the same password. Every account should have a unique, randomly generated password stored in a password manager.
Using SMS for MFA -- SMS is vulnerable to SIM swapping attacks where an attacker convinces the carrier to transfer the victims phone number. Use TOTP or hardware security keys instead.
Storing master password in plain text -- Writing the master password on a sticky note or in an unencrypted file defeats the purpose. Use a hardware security key as a backup or memorize it with a mnemonic.
Disabling MFA on service accounts -- Service accounts and API keys often bypass MFA. Attackers target these. Use short-lived tokens, rotating secrets, and conditional access policies.
Ignoring breach monitoring -- Password managers alert you when stored credentials appear in known breaches through services like Have I Been Pwned. Enable these alerts and rotate affected passwords immediately.
Practice Questions
What is zero-knowledge architecture in password managers? The server stores only encrypted vault data. The encryption key is derived from the master password on the client and never transmitted. Even if the server is breached, vault contents remain encrypted.
Why is NIST no longer recommending periodic password expiration? Research shows forced expiration leads users to choose weaker passwords or use predictable patterns (Password1!, Password2!). Modern guidance recommends expiration only on evidence of compromise.
How does WebAuthn prevent phishing? WebAuthn binds credentials to a specific origin. A phishing site at evil.com attempting to use a credential registered for dodatech.com will fail because the browser enforces origin matching.
What is the difference between TOTP and HOTP? TOTP uses time-based counters (30-second windows), while HOTP uses event-based counters incremented with each use. TOTP is more common because it works offline on the authenticator device.
Challenge: Set up a self-hosted Bitwarden instance (Vaultwarden) with Docker. Configure TOTP MFA for your vault. Create 20 unique passwords for your accounts and verify they pass a breach check.
Mini Project
Audit your personal password hygiene. List every online account, check each against Have I Been Pwned, and move all passwords to a password manager with unique 20-character random passwords. Enable TOTP MFA on every account that supports it.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro