Password concepts: best practices, password managers, passwordless

4.4 Identity & access management

📘CompTIA Security+ (SY0-701)

Password Concepts (SY0-701)

Passwords are one of the most common ways to authenticate users and control access to systems, networks, and applications.
However, if not managed properly, passwords can become a major security risk.
That’s why understanding password best practices, the use of password managers, and passwordless authentication is important for the Security+ exam and real-world security.

🔐 1. Password Best Practices

Password best practices are security measures that help keep user accounts and systems safe from unauthorized access.

1.1. Strong Passwords

A strong password should be:

  • Long: At least 12–16 characters (longer is better).
  • Complex: Includes uppercase, lowercase, numbers, and special symbols.
  • Unique: Not reused across multiple accounts.
  • Unpredictable: Should not contain names, dictionary words, or keyboard patterns.

Example in IT context:
A user’s password for logging into a company VPN should meet strong password requirements to prevent brute-force or dictionary attacks.

1.2. Password Expiration Policies

Organizations often set password expiration periods (for example, every 60 or 90 days).
However, modern security guidance (like NIST SP 800-63B) recommends avoiding frequent password changes unless a breach is suspected.
Frequent changes can lead to weaker passwords or user frustration.

Best practice:

  • Change passwords only if there is a suspected compromise.

1.3. Password History and Reuse

To prevent users from reusing old passwords, administrators can enforce password history policies.
For example, users may not reuse the last 10 passwords.
This helps ensure new passwords are truly different and harder to guess.

1.4. Account Lockout and Attempt Limits

To defend against brute-force attacks (where attackers try many password combinations), systems should:

  • Lock accounts temporarily after several failed login attempts (e.g., 5 attempts).
  • Use account lockout timers (e.g., lock for 15 minutes or until admin reset).

This prevents attackers from continuously guessing passwords.

1.5. Salting and Hashing

When passwords are stored in databases, they should never be stored in plain text.
Instead, they are protected using:

  • Hashing: Converts a password into a fixed-length code using algorithms like SHA-256 or bcrypt.
  • Salting: Adds random data to the password before hashing, so even identical passwords have different hashes.

In IT systems:
This ensures that even if attackers steal the password database, it’s difficult to reverse-engineer the real passwords.

1.6. Multi-Factor Authentication (MFA)

Even strong passwords can be stolen.
Adding another authentication factor (like a code sent to a phone or biometric scan) increases protection.
MFA combines something you know (password) with something you have (token or phone) or something you are (biometric).

1.7. User Education

Users must be trained to:

  • Never share passwords.
  • Avoid writing passwords on notes or storing them insecurely.
  • Watch out for phishing attacks that trick them into revealing passwords.

🧰 2. Password Managers

2.1. What is a Password Manager?

A password manager is a secure tool that stores, encrypts, and manages passwords for multiple accounts.
It helps users create and remember complex, unique passwords for every service.

Password managers use strong encryption (like AES-256) to store credentials securely in an encrypted vault.

2.2. How It Works in IT Environments

  • The user logs in to the password manager with one master password.
  • The password manager automatically fills in stored credentials for websites, applications, or systems.
  • In corporate environments, enterprise password managers allow IT administrators to securely share credentials among team members with access control.

2.3. Security Benefits

  • Encourages unique passwords per system (reduces password reuse).
  • Reduces risk of users choosing weak passwords.
  • Protects credentials from phishing websites.
  • Provides centralized control for administrators.

2.4. Best Practices for Password Managers

  • Protect the master password with MFA.
  • Keep the software up to date.
  • Use a reputable and encrypted password manager.
  • Regularly back up the encrypted vault (if supported).

🪄 3. Passwordless Authentication

3.1. What is Passwordless Authentication?

Passwordless authentication removes the need for users to enter a traditional password.
Instead, it uses more secure and user-friendly methods like:

  • Biometrics: Fingerprint, facial recognition, voice ID.
  • Security keys: Physical hardware keys using standards like FIDO2 or YubiKey.
  • Magic links or one-time codes: Sent to a verified device or email.
  • Authentication apps: Such as push notifications via mobile apps.

3.2. Why Passwordless Is Important

Passwords are often the weakest link because users forget them, reuse them, or fall for phishing attacks.
Passwordless authentication improves:

  • Security: Harder for attackers to steal or guess.
  • User experience: No password to remember.
  • Resistance to phishing: Credentials are not typed or transmitted.

3.3. How It Works in IT Environments

  1. The user tries to log in to a company system or cloud service.
  2. Instead of typing a password, they:
    • Approve a sign-in request on their phone, or
    • Insert a hardware security key, or
    • Use biometric data to unlock access.
  3. The system verifies the identity using cryptographic keys instead of passwords.

Example in IT context:
Employees use a FIDO2 key to log in to corporate email or cloud platforms like Microsoft 365 — no password required.

3.4. FIDO2 and WebAuthn

  • FIDO2 (Fast Identity Online) and WebAuthn are open authentication standards that enable passwordless logins using public key cryptography.
  • The private key stays on the user’s device (like a phone or hardware key).
  • The public key is stored on the server.
  • During login, the device signs a challenge, proving identity without sending any password.

3.5. Exam Tip

For the Security+ exam, remember:

  • Passwordless = authentication using biometrics, tokens, or cryptographic keys.
  • It eliminates password-based attacks such as:
    • Credential stuffing
    • Brute force
    • Phishing

🧠 Summary Table

ConceptDescriptionBenefits
Strong PasswordsComplex, long, uniqueHarder to guess
Password PolicyDefines rules (length, history, expiration)Enforces consistency
Password ManagerStores and encrypts passwordsPromotes unique, strong passwords
Salting & HashingProtects stored passwordsPrevents reverse engineering
PasswordlessRemoves passwords using biometrics or tokensStrong security and better usability
MFAAdds second verification stepReduces account takeover risk

Key Takeaways for Security+ Exam

  • Understand what makes a strong password and why password reuse is dangerous.
  • Know NIST’s recommendation: avoid frequent forced changes unless compromised.
  • Know the function and benefits of password managers.
  • Recognize the methods of passwordless authentication and their security benefits.
  • Remember FIDO2/WebAuthn are technologies that enable passwordless logins.
  • Understand how passwordless authentication prevents common password attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by