Password Security and Password Managers
Password security is the practice of creating, managing, and protecting authentication credentials to prevent unauthorized access.
Continue your mission
Password security is the practice of creating, managing, and protecting authentication credentials to prevent unauthorized access.
# Password Security and Password Managers
Password security is the practice of creating, managing, and protecting authentication credentials to prevent unauthorized access. Password managers are tools that generate, store, and autofill strong, unique passwords for every account, eliminating the human behaviors (reuse, weak passwords, written-down credentials) that make password-based authentication the most exploited attack vector in cybersecurity.
Passwords are the oldest and most widely used authentication mechanism. They are also the weakest. Verizon's DBIR consistently reports that stolen or compromised credentials are involved in the majority of breaches. The problem is not the concept of a shared secret. The problem is how humans manage shared secrets: they reuse the same password across dozens of accounts, they choose passwords that are short and predictable, they write them on sticky notes, and they share them with colleagues through unencrypted channels.
Password managers solve the human problem. A password manager generates a unique, random, high-entropy password for every account (eliminating reuse), stores all passwords in an encrypted vault (eliminating written-down credentials), and autofills passwords in the browser (eliminating phishing susceptibility, since the manager will not autofill on a domain that does not match). The user remembers one master password. The manager handles the other 200.
The future is passwordless. Passkeys (FIDO2/WebAuthn credentials stored in hardware security modules, platform authenticators, or cloud-synced keystores) replace passwords entirely: the user authenticates with a biometric or device PIN, and the cryptographic credential handles the authentication without a password ever being transmitted. Passkeys are phishing-resistant by design (the credential is bound to the legitimate domain and cannot be replayed on a phishing site). Major platforms (Apple, Google, Microsoft) now support passkeys natively. The transition from passwords to passkeys is underway but incomplete: most applications still support or require passwords, which means password managers remain essential during the transition.
Understanding how passwords are compromised explains why password managers and passkeys are necessary:
Credential stuffing. Attackers take username/password pairs from one breach and test them against other services. If the user reused their password (and 65% of users reuse passwords across multiple accounts according to Google research), the attacker gains access to every account using that password. Credential stuffing is automated: botnets test millions of credential pairs against thousands of services simultaneously.
Defense: unique passwords for every account (password managers generate them) and MFA (even a reused, compromised password is useless without the second factor).
Phishing. The attacker creates a fake login page that captures the user's credentials when they type them. The user believes they are logging into their bank, email, or corporate application. They are logging into the attacker's server.
Defense: password managers only autofill on the correct domain (the manager will not autofill on a phishing site because the domain does not match). Passkeys are bound to the legitimate domain cryptographically and cannot be entered on a phishing site at all.
Brute force and dictionary attacks. The attacker systematically tries every possible password (brute force) or every word in a dictionary plus common variations (dictionary attack) against the target account. Short, predictable passwords fall within minutes. A 12-character random password resists brute force for centuries with current computing capability.
Defense: long, random passwords (password managers generate them) and account lockout policies (limit the number of failed attempts before the account is temporarily disabled).
Password spraying. The attacker tries a small number of commonly used passwords (Password1, Summer2024, Welcome1) against a large number of accounts. Spraying avoids account lockout by trying only 1 to 2 passwords per account per lockout period. Organizations where 5% of users have "Password1" as their password give the attacker 5% of the organization's accounts.
Defense: password complexity requirements that prevent common passwords (block lists of known-compromised passwords), combined with MFA.
Credential theft from breaches. When a service is breached, the stored credentials (password hashes or, in the worst cases, plaintext passwords) are leaked. The attacker cracks the hashes offline and obtains the passwords. If the user reused the password, every other account using that password is compromised.
Defense: unique passwords (the breach of one service does not compromise others) and monitoring for credential exposure (services like Have I Been Pwned alert users when their credentials appear in breaches).
Enterprise password managers (1Password Business, Bitwarden Business, Keeper Business, Dashlane Business, LastPass Business) provide organizational-level password management:
Centralized policy enforcement. The organization defines password policies that the manager enforces: minimum password length, required character complexity, prohibition of known-compromised passwords (integration with breach databases), and required use of the password manager for all corporate accounts.
Shared vaults. Teams that need shared access to accounts (social media credentials, vendor portals, shared service accounts) use shared vaults within the password manager rather than emailing passwords, storing them in spreadsheets, or using the same password for everyone. Shared vaults provide access control (only authorized team members can access), audit logging (who accessed which credential and when), and credential rotation (the vault password can be rotated without coordinating with every team member).
Breach monitoring. Enterprise password managers monitor the organization's credential exposure: which employee email addresses appear in known breaches, which stored passwords match known-compromised passwords, and which accounts have weak or reused passwords. The security team receives alerts when credentials are exposed and can enforce password changes.
SSO integration. Enterprise password managers integrate with Single Sign-On (SSO) providers (Okta, Entra ID, Google Workspace) to reduce the number of passwords required. SSO-enabled applications authenticate through the identity provider (one authentication, many applications). The password manager handles the applications that do not support SSO.
Offboarding. When an employee leaves, the enterprise password manager revokes their access to all shared vaults and corporate credentials immediately. Without a password manager, offboarding requires identifying every shared credential the departing employee had access to and changing each one individually, a process that is rarely complete.
Passkeys are FIDO2/WebAuthn credentials that replace passwords with public-key cryptography:
How passkeys work. When the user registers a passkey with a service, the authenticator (a hardware security key, the device's platform authenticator, or a cloud-synced keystore) generates a public-private key pair. The public key is stored by the service. The private key never leaves the authenticator. To authenticate, the service sends a challenge. The authenticator signs the challenge with the private key. The service verifies the signature with the public key. No shared secret is transmitted. Nothing the user knows (no password) or types (no OTP) can be phished.
Why passkeys are phishing-resistant. The credential is cryptographically bound to the service's origin (domain). A passkey registered for bank.com will not authenticate on bank-secure-login.com (the phishing site) because the origin does not match. The user cannot accidentally authenticate on the wrong site because the authenticator enforces origin verification.
Passkey implementations. Apple iCloud Keychain, Google Password Manager, and Microsoft Windows Hello synchronize passkeys across the user's devices. Hardware security keys (YubiKey, Google Titan) store passkeys in tamper-resistant hardware. Enterprise passkey deployment uses MDM/UEM to provision passkeys on managed devices.
Current adoption. Major services support passkeys: Google, Apple, Microsoft, Amazon, GitHub, PayPal, eBay, Best Buy, and hundreds of others. Enterprise adoption is accelerating but incomplete: most organizations still support password-based authentication alongside passkeys during the transition period. Full passwordless deployment (passkeys only, no password fallback) is the target state but requires every application in the environment to support passkeys, which most legacy applications do not yet.
Transition period. During the transition, organizations should deploy passkeys wherever supported, maintain password managers for applications that do not support passkeys, and enforce MFA on all password-based authentication. The password manager and passkey coexist until passwordless coverage is complete.
Stolen credentials are involved in the majority of confirmed breaches (Verizon DBIR). Credential-based attacks (phishing, credential stuffing, password spraying, brute force) are the most common, cheapest, and most scalable attack techniques available. Every password that is reused, weak, or unprotected by MFA is an open door.
Humans cannot manage 200 unique, random, 16-character passwords. It is cognitively impossible. Without a password manager, humans do what humans do: they reuse, they simplify, they write down, and they share. Blaming users for this behavior is blaming biology for being biology. The correct response is not training humans to be password databases. It is deploying tools (password managers) and technologies (passkeys) that eliminate the need for humans to manage credentials at all.
Password security is addressed by every compliance framework. NIST SP 800-63B (Digital Identity Guidelines) provides current password guidance: minimum 8 characters (15+ recommended), no arbitrary complexity rules (no "must include uppercase, lowercase, number, symbol" requirements that produce predictable patterns like "Password1!"), mandatory screening against known-compromised passwords, and no periodic forced rotation (which produces predictable increment patterns like "Summer2024" becoming "Fall2024"). PCI DSS Requirement 8 addresses authentication. HIPAA requires authentication controls. CIS Controls v8 Control 5 addresses account management.
NIST's guidance explicitly deprecated several legacy password practices: forced periodic rotation (now recommended only after suspected compromise), complexity composition rules (now replaced with length requirements and breach-database screening), and security questions (now considered weak authenticators). Organizations still enforcing "change your password every 90 days with uppercase, lowercase, number, and symbol" are following deprecated guidance.
Password security sits in the IAT (Identity Access and Trust) domain of the Planetary Defense Model. IAT is civilization: who is in the environment, what can they access, and how their identity is verified.
CDA's Zero Possession Architecture (ZPA) methodology applies directly: "Trust nothing. Possess nothing. Verify everything." ZPA's "possess nothing" principle means credentials should not be possessed by humans (password managers and passkeys both achieve this). Credentials should not be transmitted in cleartext (passkeys never transmit a shared secret). Credentials should not be reused across services (password managers enforce uniqueness).
IAT-B03 (MFA Deployment, 24 estimated hours) includes password manager deployment and passkey rollout as components. The mission deploys phishing-resistant MFA (FIDO2/passkeys) wherever supported, deploys an enterprise password manager for applications that require passwords, and configures credential monitoring for breach exposure. The three controls together (MFA + password manager + passkeys) address every credential-based attack vector.
CDA approaches password security with one priority: eliminate passwords wherever possible, manage them rigorously where elimination is not yet possible. Passkeys are the destination. Password managers are the bridge. Unmanaged passwords are the threat. Every CDA assessment checks: is MFA deployed? Is a password manager in use? Are passkeys deployed where supported? Gaps in any of these three areas are IAT findings.
Word count: 1,978
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.