Skip to content

Password Management -- Tools, Policies & Multi-Factor Authentication

DodaTech Updated 2026-06-22 6 min read

In this tutorial, you'll learn about Password Management. We cover key concepts, practical examples, and best practices.

Password management encompasses the tools, policies, and practices that secure user credentials -- from password managers that generate and store complex passwords to multi-factor authentication that prevents account takeover even when passwords leak.

What You'll Learn

You will learn to evaluate password managers, implement enterprise password policies, deploy MFA with TOTP and WebAuthn, and apply zero-knowledge architecture for credential storage.

Why It Matters

81% of data breaches involve weak or stolen passwords. The average user has 100+ online accounts. Proper password management eliminates credential reuse and protects against phishing and credential stuffing attacks.

Real-World Use

A SaaS company enforces hardware security key (WebAuthn) for all employees, reducing account takeover incidents from 14 per quarter to zero. Customer-facing accounts use TOTP MFA.

Password Manager Architecture

Password managers use zero-knowledge architecture -- the server never sees your master password or decrypted vault.

graph TD
    A[Master Password] --> B[Derive Encryption Key via PBKDF2/Argon2]
    B --> C[Encrypt Vault with AES-256-GCM]
    C --> D[Sync Encrypted Blob to Server]
    D --> E[Server Stores Encrypted Blob Only]
    E --> F[Client Downloads and Decrypts Locally]
    style A fill:#4a90d9,stroke:#fff,color:#fff
    style F fill:#4a90d9,stroke:#fff,color:#fff

Enterprise Password Policy

{
  "minimumLength": 16,
  "requireUppercase": true,
  "requireLowercase": true,
  "requireNumbers": true,
  "requireSpecialChars": true,
  "expirationDays": null,
  "passwordHistory": 0,
  "failedAttemptLockout": 5,
  "lockoutDurationMinutes": 15,
  "mfaRequired": true,
  "mfaMethods": ["totp", "webauthn"]
}

Expected behavior: Passwords must be at least 16 characters with mixed character types. MFA is mandatory. Password expiration is disabled -- modern guidance recommends expiration only on compromise evidence.

MFA Implementation: TOTP

Time-based One-Time Passwords generate 6-digit codes that change every 30 seconds.

import pyotp
import qrcode

# Generate secret
secret = pyotp.random_base32()
print(f"Secret: {secret}")
# Output: JBSWY3DPEHPK3PXP

# Generate provisioning URI for QR code
totp = pyotp.TOTP(secret)
uri = totp.provisioning_uri("user@example.com", issuer_name="DodaTech")
print(f"URI: {uri}")
# Output: otpauth://totp/DodaTech:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=DodaTech

# Verify a code
code = input("Enter TOTP code: ")
is_valid = totp.verify(code)
print(f"Valid: {is_valid}")

Expected behavior: The user scans the QR code with an authenticator app. The app generates rotating codes. The server verifies each code once.

Enterprise Single Sign-On Integration

SSO centralizes authentication and enforces consistent MFA policies across all applications.

# Keycloak realm configuration for SAML federation
realm: dodatech
enabled: true
clients:
  - clientId: internal-tools
    protocol: saml
    samlForcePostBinding: true
    samlNameIdFormat: email
    samlForceNameIdFormat: true
    defaultRoles:
      - user
    fineGrainSamlAttributeConfig:
      name: email
      friendlyName: Email
      samlAttributeNameFormat: basic
  - clientId: analytics-dashboard
    protocol: openid-connect
    standardFlowEnabled: true
    publicClient: false
    secret: ****

Expected behavior: Users authenticate once through Keycloak, which enforces MFA through a conditional policy. All connected applications receive SAML assertions or OpenID Connect tokens with verified identity.

WebAuthn / Passkeys

WebAuthn uses public-key cryptography for phishing-resistant authentication.

// WebAuthn registration (browser API)
const credential = await navigator.credentials.create({
  publicKey: {
    challenge: new Uint8Array(32),
    rp: { name: "DodaTech", id: "dodatech.com" },
    user: {
      id: new TextEncoder().encode("user-123"),
      name: "user@example.com",
      displayName: "User"
    },
    pubKeyCredParams: [{ type: "public-key", alg: -7 }]
  }
});

console.log("Credential ID:", credential.id);

Expected behavior: The browser prompts the user to create a passkey via platform authenticator (Touch ID, Windows Hello, or security key). The public key is sent to the server. The private key never leaves the device.

Passwordless Authentication

Passwordless authentication replaces passwords entirely with cryptographic keys or biometrics.

# Generate SSH key pair for passwordless server access
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Configure server to require key only
grep "PasswordAuthentication" /etc/ssh/sshd_config
# Expected: PasswordAuthentication no

Expected behavior: The user logs into the server with their SSH key and no password prompt. The Ed25519 key offers strong security with smaller key sizes than RSA.

FIDO2 and WebAuthn for Web Applications

FIDO2 uses public key cryptography where the private key never leaves the users device.

// WebAuthn authentication (browser API)
const assertion = await navigator.credentials.get({
  publicKey: {
    challenge: new Uint8Array(32),
    allowCredentials: [{
      id: credentialId,
      type: "public-key]
    }],
    userVerification: "required"
  }
});

const authData = new Uint8Array(assertion.response.authenticatorData);
console.log("Authenticator data length:", authData.length);

Expected behavior: The browser prompts for biometric or PIN verification. After successful authentication, the assertion is sent to the server for signature verification.

Password Manager Comparison

Feature Bitwarden 1Password KeePassXC
Open source Yes No Yes
Zero-knowledge Yes Yes N/A (local)
MFA support TOTP, WebAuthn TOTP, WebAuthn TOTP plugin
Self-hostable Yes (Vaultwarden) No Yes
Browser extension Yes Yes Yes (plugin)
Cost Free/paid Paid only Free

Password Scoring with zxcvbn

Use realistic password strength estimation rather than simplistic rules.

import zxcvbn

passwords = ["P"@ssw0rd12"3", "correct-horse-battery-staple", "MyD0g$Fido2024!"]
for pw in passwords:
    result = zxcvbn.zxcvbn(pw)
    print(f"{pw}: score {result['score']}/4, crack_time {result['crack_times_display']['offline_slow_hashing_1e4_per_second']}")

Expected output:

P@ssw0rd123: score 1/4, crack_time 3 seconds
correct-horse-battery-staple: score 4/4, crack_time 3 centuries
MyD0g$Fido2024!: score 2/4, crack_time 2 hours

Common Errors

  1. Reusing passwords across accounts -- A breach at one site exposes all accounts with the same password. Every account should have a unique, randomly generated password stored in a password manager.

  2. Using SMS for MFA -- SMS is vulnerable to SIM swapping attacks where an attacker convinces the carrier to transfer the victims phone number. Use TOTP or hardware security keys instead.

  3. Storing master password in plain text -- Writing the master password on a sticky note or in an unencrypted file defeats the purpose. Use a hardware security key as a backup or memorize it with a mnemonic.

  4. Disabling MFA on service accounts -- Service accounts and API keys often bypass MFA. Attackers target these. Use short-lived tokens, rotating secrets, and conditional access policies.

  5. Ignoring breach monitoring -- Password managers alert you when stored credentials appear in known breaches through services like Have I Been Pwned. Enable these alerts and rotate affected passwords immediately.

Practice Questions

  1. What is zero-knowledge architecture in password managers? The server stores only encrypted vault data. The encryption key is derived from the master password on the client and never transmitted. Even if the server is breached, vault contents remain encrypted.

  2. Why is NIST no longer recommending periodic password expiration? Research shows forced expiration leads users to choose weaker passwords or use predictable patterns (Password1!, Password2!). Modern guidance recommends expiration only on evidence of compromise.

  3. How does WebAuthn prevent phishing? WebAuthn binds credentials to a specific origin. A phishing site at evil.com attempting to use a credential registered for dodatech.com will fail because the browser enforces origin matching.

  4. What is the difference between TOTP and HOTP? TOTP uses time-based counters (30-second windows), while HOTP uses event-based counters incremented with each use. TOTP is more common because it works offline on the authenticator device.

  5. Challenge: Set up a self-hosted Bitwarden instance (Vaultwarden) with Docker. Configure TOTP MFA for your vault. Create 20 unique passwords for your accounts and verify they pass a breach check.

Mini Project

Audit your personal password hygiene. List every online account, check each against Have I Been Pwned, and move all passwords to a password manager with unique 20-character random passwords. Enable TOTP MFA on every account that supports it.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro