Password security

Einleitung

Es ist Montagmorgen. Ein Entwickler kann sich nicht in die Produktionsdatenbank einloggen. Das Passwort wurde letzte Woche rotiert, die Aktualisierung erreichte nie die gemeinsame Tabelle, und das System ist ausgefallen. Jemand eröffnet ein Help-Desk-Ticket. IT-Ingenieure unterbrechen ihre Arbeit. Vierzig Minuten später ist die Krise gelöst.

Die Rechnung: 70 $ — ein Ticket, ein Ingenieur, ein frustrierter Entwickler, der fast eine Stunde lang nichts produziert hat.

Multiplizieren Sie das mit jedem vergessenen, abgelaufenen oder falsch kommunizierten Zugangsdaten in Ihrer Organisation, und das Passwort-Chaos hört auf, ein IT-Ärgernis zu sein, und beginnt wie ein Bilanzproblem auszusehen.

Und das Ticket ist nur der sichtbare Teil. Es zählt nicht den verlorenen Kontext des Entwicklers nach einem unterbrochenen Morgen, das Deployment, das sich verzögerte, oder das Kundengespräch, das verschoben wurde. Es blutet still, über alle Teams hinweg, das ganze Jahr lang.

Passwort-Chaos ist die unorganisierte, unsichere und kostspielige Ausbreitung von Zugangsdaten in einer Organisation — unverwaltet, dupliziert und über unsichere Kanäle geteilt. Laut dem Verizon Data Breach Investigations Report waren kompromittierte Passwörter im Jahr 2025 an 28 % aller Datenschutzverletzungen beteiligt. Das finanzielle Risiko ist real: Die globalen durchschnittlichen Kosten einer Datenschutzverletzung erreichten 2025 4,44 Millionen Dollar (IBM).

Dieser Artikel schlüsselt auf, warum Passwort-Chaos trotz Sicherheitsrichtlinien fortbesteht, was es tatsächlich in Bezug auf Sicherheit, Produktivität und Compliance kostet — und wie man es strukturell behebt, nicht nur symptomatisch.

Wichtige Erkenntnisse

• Kompromittierte Passwörter stecken hinter der Mehrheit der Sicherheitsverletzungen — nicht ausgefeilte Exploits, sondern Zugangsdaten, die wiederverwendet, sorglos geteilt oder nie rotiert wurden.
• Passwortbezogene Probleme beanspruchen einen unverhältnismäßig großen Anteil der IT-Kapazität — Zurücksetzungen, Sperrungen und Zugriffsanfragen, die gar nicht erst existieren sollten.
• Veraltete Passwortrichtlinien verschlimmern das Problem, anstatt es zu lösen — erzwungene Rotation und Komplexitätsregeln führen zu Workarounds, die die tatsächliche Sicherheit verringern.
• Unverwaltete Zugangsdaten machen Compliance-Audits nahezu unmöglich — ohne ein zentralisiertes Audit-Log gibt es keine Möglichkeit nachzuweisen, wer auf was Zugriff hatte.
• Die Lösung ist strukturell — zentralisierte Speicherung, rollenbasierte Zugriffskontrolle und ein klarer Offboarding-Prozess beseitigen die Ursachen, nicht nur die Symptome.

Warum Passwort-Chaos ein stiller Geschäftskiller ist

Passwort-Chaos ist die unkontrollierte Ausbreitung von Zugangsdaten in einer Organisation — gespeichert in Tabellen, über Chat geteilt, über Systeme hinweg dupliziert und ohne konsistenten Prozess verwaltet. Es ist ein Zustand, der sich im Laufe der Zeit verstärkt und gleichzeitig Sicherheit, Produktivität und Compliance gefährdet.

Sicherheitsrisiken

Unverwaltete Zugangsdaten bleiben nicht eingedämmt. Sie verbreiten sich, werden schwächer und werden ausgenutzt:

• Passwort-Müdigkeit führt zu Wiederverwendung. Wenn Mitarbeiter Dutzende von Konten verwalten, greifen sie auf vertraute, schwache Zugangsdaten zurück — oft dasselbe Passwort für mehrere Systeme.
• Wiederverwendung ermöglicht Credential Stuffing im großen Stil. Angreifer nehmen gestohlene Benutzername-Passwort-Paare aus einer Sicherheitsverletzung und automatisieren Login-Versuche bei Hunderten anderer Dienste. Verizons Forschung bestätigt, dass gestohlene Zugangsdaten mit 86 % der Sicherheitsverletzungen bei webbasierten Anwendungen verbunden sind.
• Geteilte Zugangsdaten in unkontrollierten Kanälen schaffen dauerhafte Exposition. Sobald ein Passwort ein sicheres System verlässt — über Slack, E-Mail oder eine Tabelle — gibt es keinen Audit-Trail und keinen Widerrufsmechanismus. Es existiert irgendwo, wo Sie es nicht sehen oder kontrollieren können.

Produktivitäts- und Betriebsrisiken

• 40 % aller Help-Desk-Anrufe sind passwortbezogen (Gartner). Das ist ein erheblicher Anteil der IT-Kapazität, der von einem Problem absorbiert wird, dessen Ursache bekannt und lösbar ist.
• Wenn der Zugang blockiert ist, stoppt die Arbeit. Die nachgelagerten Kosten eines Ingenieurs oder Analysten, der auf eine Zurücksetzung wartet — verlorener Kontext, verzögerte Deployments, verschobene Deadlines — verstärken die direkten Kosten des Tickets selbst.
• Workarounds werden zu dauerhaften Einrichtungen. Temporäre gemeinsame Konten, im Browser gespeicherte Passwörter und angepinnte Slack-Nachrichten beginnen als Abkürzungen und enden als nicht nachverfolgte Zugriffspunkte.

Compliance-Risiken

Die Ausbreitung von Zugangsdaten macht die Einhaltung von Vorschriften schwerer nachweisbar und leichter zu verfehlen:

• Unverwaltete Zugangsdaten machen Zugriffskontrolle unmöglich nachweisbar unter DSGVO, NIS2, SOC 2, HIPAA oder ISO 27001. Prüfer akzeptieren kein „wir glauben, der Zugriff war begrenzt" — sie verlangen Beweise.
• Ohne ein zentralisiertes Audit-Log gibt es keine Aufzeichnung darüber, wer wann auf was Zugriff hatte. Diese Lücke ist sowohl ein Compliance-Versagen als auch ein forensischer blinder Fleck bei der Incident-Response.
• Offboarding ohne Zugangsdaten-Rotation lässt den Zugang unbegrenzt offen. Ehemalige Mitarbeiter, Auftragnehmer und Lieferanten behalten den Zugriff auf Systeme lange nach Ende ihrer Zusammenarbeit.

Der Kumulationseffekt

Jede Risikodimension verstärkt die anderen. Ein wiederverwendetes Passwort wird zum Credential-Stuffing-Vektor. Ein gestopftes Zugangsdaten umgeht Zugriffskontrollen. Eine umgangene Kontrolle hinterlässt keinen Audit-Trail. Bis die Sicherheitsverletzung erkannt wird, ist der Schaden bereits angerichtet. Passwort-Chaos ist ein systemischer Zustand, der eine systemische Reaktion erfordert.

Passwort-Chaos in der Praxis

Passwort-Chaos kündigt sich selten als Sicherheitsereignis an. Es sieht aus wie ein gewöhnlicher Dienstag.

Ein mittelständisches SaaS-Unternehmen betreibt seine Infrastruktur über AWS, drei interne Tools, ein CRM und eine Staging-Umgebung, die vom Entwicklerteam gemeinsam genutzt wird. Zugangsdaten werden so verwaltet wie immer: eine gemeinsame Tabelle auf Google Drive, ein paar angepinnte Einträge in einem Team-Slack-Kanal und eine Handvoll Passwörter, die nur im Kopf eines Senior-Ingenieurs existieren.

So sieht das aus:

• Woche 1. Ein neuer Auftragnehmer tritt dem Backend-Team bei. Jemand teilt das Staging-Datenbank-Passwort über Slack-DM. Der Auftragnehmer beendet seinen Einsatz sechs Wochen später. Niemand rotiert die Zugangsdaten. Sie bleiben gültig.
• Woche 3. Der CRM-Anbieter erzwingt eine Passwortzurücksetzung. Der Teamleiter aktualisiert die Tabelle. Zwei Entwickler verpassen die Aktualisierung vollständig und verbringen den größten Teil eines Vormittags damit, etwas zu beheben, das sie für ein API-Problem halten. Ein Release wird verschoben.
• Woche 5. Ein Senior-Ingenieur nimmt zwei Wochen Urlaub. Drei Systeme benötigen in dieser Zeit Zugriff. Jemand findet einen Workaround: Ein zweites Konto mit Admin-Rechten wird erstellt. Es wird vier Monate lang nicht entfernt.
• Woche 7. Ein Entwickler verlässt das Unternehmen. HR benachrichtigt die IT. Die IT deaktiviert das Active-Directory-Konto. Niemand prüft, auf welche gemeinsamen Zugangsdaten der Entwickler Zugriff hatte — die Staging-Umgebung, das AWS-Testkonto, das interne Monitoring-Tool. Alle drei bleiben unter diesen Zugangsdaten zugänglich.
• Woche 9. Ein IT-Audit markiert die gemeinsame Google-Drive-Tabelle als Compliance-Lücke vor einer SOC-2-Überprüfung. Das Sicherheitsteam verbringt drei Tage damit, manuell zu ermitteln, wer wann auf welche Zugangsdaten Zugriff hatte und ob seit dem letzten Mitarbeiteraustritt welche rotiert wurden. Mehrere wurden es nicht.
• Woche 10. Ein Phishing-Angriff kompromittiert das Google-Konto eines Mitarbeiters. Der Angreifer hat nun Lesezugriff auf die Zugangsdaten-Tabelle. Das Team weiß dies 19 Tage lang nicht.

Die meisten der früheren Ereignisse hatten eine vernünftige Erklärung: Ein Auftragnehmer brauchte Zugriff, jemand war im Urlaub. Woche 10 ist der Punkt, an dem diese Erklärungen nicht mehr greifen. Sie ist auch vollständig vorhersehbar — jede Lücke, die sich in den vorherigen neun Wochen angesammelt hatte, war noch offen, als der Angreifer eintraf.

Das Chaos baut sich nicht dramatisch auf. Es sammelt sich still an, ein Workaround nach dem anderen.

Passwort-Chaos kostet mehr, als die meisten Teams ahnen. Passwork bietet IT-Teams einen strukturierten Tresor mit rollenbasierter Zugriffskontrolle und vollständigem Audit-Log — vollständig in Ihrer eigenen Infrastruktur bereitgestellt. Sehen Sie, wie es funktioniert

Warum traditionelle Passwortrichtlinien 2026 versagen

Veraltete Passwortrichtlinien wurden für ein anderes Bedrohungsmodell entwickelt. Obligatorische 30-Tage-Rotation, Komplexitätsregeln mit Symbolen und Zahlen und das Verbot der Wiederverwendung — diese Regeln waren gut gemeint, aber es hat sich gezeigt, dass sie das Risiko erhöhen, anstatt es zu reduzieren.

Die aktuellen NIST-Richtlinien (SP 800-63B) empfehlen ausdrücklich, auf obligatorische periodische Passwortänderungen zu verzichten, es sei denn, es gibt Hinweise auf eine Kompromittierung. Erzwungene Rotation führt zu vorhersehbaren Mustern: Password1! wird im nächsten Zyklus zu Password2!. Benutzer schreiben Passwörter auf. Die Wiederverwendung nimmt zu.

Das Ergebnis veralteter Richtlinien: Mitarbeiter umgehen sie, die Sicherheit wird schwächer, und IT-Teams verbringen Zeit mit der Durchsetzung von Regeln, die das tatsächliche Risiko nicht reduzieren.

Passwort-Chaos dauerhaft beheben: der 4-Schritte-Plan

Die Behebung von Passwort-Chaos erfordert einen strukturierten Ansatz und eine bewusste Änderung der Art und Weise, wie Zugangsdaten in der Organisation erstellt, gespeichert, geteilt und widerrufen werden.

1. Prüfen Sie Ihre aktuelle Zugangsdaten-Landschaft

Erfassen Sie jedes System, jede Anwendung und jedes gemeinsame Konto. Identifizieren Sie Zugangsdaten, die außerhalb eines sicheren Tresors gespeichert sind: Tabellen, E-Mail-Threads, Chat-Protokolle, im Browser gespeicherte Passwörter. Quantifizieren Sie die Exposition, bevor Sie versuchen, sie zu beheben.

2. Zentralisieren Sie in einem sicheren Tresor

Verschieben Sie alle Zugangsdaten in einen zentralisierten Passwort-Manager mit verschlüsselter Speicherung. Für Organisationen in regulierten Branchen oder mit strengen Anforderungen an den Datenstandort hält eine On-Premise- oder selbstgehostete Bereitstellung alle Daten innerhalb des Unternehmensperimeters — ohne Abhängigkeit von einer Drittanbieter-Cloud.

3. Setzen Sie Zugriffskontrolle mit RBAC durch

Rollenbasierte Zugriffskontrolle (RBAC) stellt sicher, dass Mitarbeiter nur auf die Zugangsdaten zugreifen, die ihre Rolle erfordert. Wenn jemand die Organisation verlässt, wird der Zugriff sofort widerrufen — und das System markiert alle Zugangsdaten, auf die er Zugriff hatte, zur Rotation.

4. Automatisieren Sie mit MFA und Integrationen

Verlangen Sie Multi-Faktor-Authentifizierung (MFA) für den Tresor-Zugriff. Integrieren Sie Ihren bestehenden Verzeichnisdienst über LDAP oder Active Directory, um Benutzer und Gruppen automatisch zu synchronisieren. Nutzen Sie API-Zugriff, um das Zugangsdaten-Management in CI/CD-Pipelines und DevOps-Workflows einzubetten.

Warum Passwork die richtige Wahl für Unternehmenskontrolle ist

Passwork ist ein On-Premise-Passwort-Manager, der für Unternehmen entwickelt wurde, die volle Kontrolle über ihre Zugangsdaten benötigen. Jedes Datenelement bleibt innerhalb der unternehmenseigenen Infrastruktur, und Ihr Team ist in Minuten einsatzbereit, nicht in Wochen.

Passwörter erstellen und teilen ohne Reibungsverluste

Das meiste Zugangsdaten-Chaos beginnt nicht mit einer Sicherheitsverletzung. Es beginnt damit, dass ein Mitarbeiter ein Passwort in Slack einfügt, weil es keine schnellere Option gab. Passwork beseitigt diese Versuchung, indem der sichere Weg der einfache wird.

Passwörter speichern

Das Hinzufügen eines Passworts dauert Sekunden: Füllen Sie die Felder aus, fügen Sie Tags oder Farbmarkierungen zur schnellen Filterung hinzu und speichern Sie es im entsprechenden Ordner. Die Ordnerstruktur spiegelt wider, wie Teams tatsächlich arbeiten — organisiert nach Projekt, Umgebung, Abteilung oder Kunde. Mitarbeiter finden, was sie brauchen, über Suche oder Tags.

Zugriff teilen

Müssen Sie den Zugriff mit einem Kollegen oder einem ganzen Team teilen? Laden Sie sie zu einem gemeinsamen Ordner ein — sie erhalten Zugriff auf alle Zugangsdaten darin, mit der von Ihnen definierten Berechtigungsstufe. Für Einzelfälle senden Sie Zugangsdaten direkt an einen anderen Benutzer.

Onboarding und Offboarding

Wenn jemand einem Projekt beitritt, fügen Sie ihn zum Tresor oder Ordner hinzu. Wenn er das Unternehmen verlässt, markiert Passwork automatisch alle Zugangsdaten, auf die er Zugriff hatte, als potenziell kompromittiert und fordert das Team auf, sie zu rotieren.

Zugriff über Geräte und Workflows hinweg

Browser-Erweiterungen und Mobile Apps halten Passwörter geräteübergreifend zugänglich — das automatische Ausfüllen erledigt den Rest. Für DevOps-Teams bringen CLI und Python SDK denselben Zugriff direkt in Terminal-Workflows und Skripte.

Der On-Premise-Vorteil

Für Organisationen in Finanzwesen, Regierung, Gesundheitswesen und anderen regulierten Sektoren ist es eine zwingende Anforderung, Zugangsdaten innerhalb des Unternehmensperimeters zu halten — keine Präferenz. Passwork läuft auf den unternehmenseigenen Servern (Linux oder Windows, mit oder ohne Docker), verschlüsselt mit AES-256 auf Server- und Client-Seite. Die Zero-Knowledge-Architektur bedeutet, dass selbst das Passwork-Team keinen Zugriff auf Ihre Daten hat.

Passwork beseitigt diese Abhängigkeit vollständig. Die Anwendung läuft auf den unternehmenseigenen Servern (Linux oder Windows, mit oder ohne Docker), verschlüsselt mit AES-256 auf Server- und Client-Seite. Die Zero-Knowledge-Architektur bedeutet, dass selbst das Passwork-Team keinen Zugriff auf Ihre Daten hat.

Wichtige Funktionen für IT- und Sicherheitsteams

• LDAP/AD-Integration und SAML SSO — synchronisieren Sie Benutzer und Gruppen aus Ihrem Verzeichnisdienst; authentifizieren Sie sich über Ihren bestehenden Identity-Provider.
• Rollenbasierte Zugriffskontrolle — granulare Berechtigungen auf Benutzer- und Gruppenebene; benutzerdefinierte Tresortypen mit automatischer Administratorzuweisung.
• Vollständiges Audit-Log — jede Aktion im System wird protokolliert und ist auswertbar, was SOC 2, ISO 27001 und interne Sicherheitsrichtlinien unterstützt.
• Secrets Management — speichern Sie API-Schlüssel, Zugriffs-Token, Datenbankzugangsdaten, SSH-Schlüssel, TLS-Zertifikate und Service-Account-Zugangsdaten zusammen mit Benutzerpasswörtern in einem einheitlichen Tresor.
• Passwort-Sicherheits-Dashboard — markiert schwache, wiederverwendete, veraltete und kompromittierte Zugangsdaten in der gesamten Organisation.
• Prüfbarer Quellcode — Organisationen können ihr eigenes Sicherheitsaudit des Passwork-Quellcodes durchführen, um vor der Bereitstellung zu überprüfen, dass keine Schwachstellen vorhanden sind.

Passwork besitzt die ISO/IEC 27001-Zertifizierung, die einen systematischen, geprüften Ansatz für das Informationssicherheitsmanagement bestätigt.

Fazit

Passwort-Chaos ist eine finanzielle und sicherheitstechnische Belastung — und eine vollständig vermeidbare. Das 70-$-Reset-Ticket, die 4,44-Millionen-Dollar-Sicherheitsverletzung, das Audit, das offenbart, dass niemand weiß, wer auf was Zugriff hatte: Nichts davon ist unvermeidlich. Es sind die vorhersehbaren Folgen davon, Zugangsdaten als Nebensache zu behandeln.

Das Muster ist über Organisationen jeder Größe hinweg konsistent. Passwörter werden über die falschen Kanäle geteilt. Richtlinien werden inkonsistent durchgesetzt. Zugriffsrechte sammeln sich im Laufe der Zeit an und werden nie bereinigt. Jemand geht, und niemand rotiert die Zugangsdaten, die er berührt hat. Jede Lücke ist für sich klein. Zusammen schaffen sie die Bedingungen für eine Sicherheitsverletzung — oder ein Compliance-Versagen, das genauso kostspielig ist.

Die Lösung ist eine strukturelle Änderung: zentralisierte Speicherung, definierter Zugriff, ein vollständiger Audit-Trail und ein Prozess, der die sichere Option zur Standardoption macht — nicht zur unbequemen.

Passwork ist darauf ausgelegt, diese Änderung unkompliziert zu machen. Ob Sie in Ihrer eigenen Infrastruktur oder in der Cloud bereitstellen, Ihr Team erhält einen strukturierten Tresor, rollenbasierten Zugriff und die Transparenz, um genau zu wissen, wer auf was zugreifen kann — bevor etwas schiefgeht.

Bereit, die Zugangsdaten-Ausbreitung durch strukturierte Kontrolle zu ersetzen? Testen Sie Passwork in Ihrer eigenen Infrastruktur — unser Team unterstützt Sie bei Installation und Konfiguration. Kostenlose Demo anfordern

FAQ: das Zugangsdaten-Chaos bändigen

Wie verwaltet man Passwörter für ein Team, ohne sie unsicher zu teilen?

Verwenden Sie einen zentralisierten Passwort-Manager mit rollenbasierter Zugriffskontrolle. Jedes Teammitglied greift nur auf die Zugangsdaten zu, die seiner Rolle zugewiesen sind — kein direktes Teilen erforderlich. Gemeinsame Tresore mit granularen Berechtigungen ersetzen Tabellen und Chat-basierte Zugangsdaten-Verteilung. Wenn jemand geht, wird sein Zugriff widerrufen und betroffene Zugangsdaten werden automatisch zur Rotation markiert.

Ist es sicher, Geschäftspasswörter in einem Browser zu speichern?

Nein. Im Browser gespeicherte Passwörter bieten keine Zugriffskontrolle, keinen Audit-Trail und keine Verschlüsselung über das eigene Sicherheitsmodell des Browsers hinaus. Sie synchronisieren sich über Geräte hinweg durch Cloud-Konten, die möglicherweise nicht den Sicherheitsstandards von Unternehmen entsprechen. Eine Browser-Kompromittierung legt alle gespeicherten Zugangsdaten gleichzeitig offen.

Was ist Credential Stuffing und wie verhindert ein Passwort-Manager es?

Credential Stuffing ist ein Angriff, bei dem gestohlene Benutzername/Passwort-Paare aus einer Sicherheitsverletzung automatisch bei anderen Diensten getestet werden. Er ist erfolgreich wegen Passwort-Wiederverwendung. Ein Passwort-Manager generiert und speichert einzigartige, starke Zugangsdaten für jedes Konto und eliminiert die Wiederverwendung, die Credential Stuffing effektiv macht. Kombiniert mit MFA wird der primäre Angriffsvektor eliminiert.

Wie unterstützt ein Passwort-Manager die DSGVO- und SOC-2-Compliance?

Ein Passwort-Manager mit vollständigem Audit-Log, RBAC und On-Premise-Bereitstellung unterstützt Compliance-Anforderungen direkt. Die DSGVO erfordert nachweisbare Kontrolle darüber, wer auf personenbezogene Daten zugreift. SOC 2 erfordert Nachweise für Zugriffsmanagement und Überwachung. Ein Audit-Log mit Aktivitätsverfolgung auf Benutzerebene liefert die Dokumentation, die Prüfer benötigen — und die Transparenz, die Sicherheitsteams brauchen, um auf Anomalien zu reagieren.

Was passiert mit gemeinsamen Zugangsdaten, wenn ein Mitarbeiter geht?

Bei Passwork löst das Offboarding einen sofortigen Zugriffsentzug aus. Das System identifiziert alle Zugangsdaten, auf die der ausscheidende Mitarbeiter Zugriff hatte, und markiert sie als potenziell kompromittiert, was das Team zur Rotation auffordert. Ohne ein zentralisiertes System ist dieser Prozess manuell, fehleranfällig und oft unvollständig.

Macht ein Passwort-Manager MFA überflüssig?

Nein — und das sollte er auch nicht. Ein Passwort-Manager sichert die Speicherung und den Zugriff auf Zugangsdaten; MFA sichert die Authentifizierung. Sie adressieren unterschiedliche Angriffsflächen. Ein starkes, einzigartiges Passwort verhindert Credential Stuffing; MFA verhindert unbefugten Zugriff, selbst wenn ein Passwort kompromittiert wurde. Die beiden Kontrollen ergänzen sich, sind aber nicht austauschbar.

Wie lange dauert es, einen Passwort-Manager in einer Organisation bereitzustellen?

Eine selbstgehostete Lösung wie Passwork kann auf bestehender Infrastruktur — Linux oder Windows, mit oder ohne Docker — in unter einer Stunde bereitgestellt werden. LDAP- und Active-Directory-Integration synchronisiert Benutzer und Gruppen automatisch, sodass keine manuelle Bereitstellung von Konten erforderlich ist. Die meisten Teams sind innerhalb eines Tages nach der Bereitstellung voll einsatzbereit.

Was ist Passwort-Wiederverwendung und warum ist es ein großes Sicherheitsrisiko?

Passwort-Wiederverwendung gefährdet 88 % der Sicherheitsverletzungen. Erfahren Sie, warum die Verwendung desselben Passworts für mehrere Konten gefährlich ist und wie Sie diese Gewohnheit heute noch ablegen.

Passwork BlogEirik Salmi

Passwork 7.6 Release: Service-Accounts

Das neueste Passwork-Release fügt Service-Accounts mit Multi-Token-API-Unterstützung, gespeicherte Filter, mobile Web-UI und automatische Papierkorb-Bereinigung hinzu. Sehen Sie, was sich geändert hat.

Passwork BlogEirik Salmi

Ist passwortlose Authentifizierung nach NIS2 für Compliance erforderlich?

NIS2 Artikel 21(2)(j) schreibt MFA „wo angemessen" vor — nicht standardmäßig passwortlos. Erfahren Sie, was die ENISA-Richtlinien tatsächlich erfordern, wie Prüfer Ihre Implementierung bewerten und wie Sie eine vertretbare hybride Compliance-Position für 2026 aufbauen.

Passwork BlogAlex Muntyan

Introducción

Es lunes por la mañana. Un desarrollador no puede iniciar sesión en la base de datos de producción. La contraseña se rotó la semana pasada, la actualización nunca llegó a la hoja de cálculo compartida y el sistema está caído. Alguien abre un ticket de soporte. Los ingenieros de TI dejan lo que están haciendo. Cuarenta minutos después, la crisis está resuelta.

La factura: $70 — un ticket, un ingeniero, un desarrollador frustrado que no produjo nada durante la mayor parte de una hora.

Multiplique esto por cada credencial olvidada, expirada o mal comunicada en toda su organización, y el caos de contraseñas deja de ser una molestia de TI para convertirse en un problema de balance financiero.

Y el ticket es solo la parte visible. No cuenta el contexto perdido del desarrollador tras una mañana interrumpida, el despliegue que se retrasó o la llamada con el cliente que se pospuso. Se filtra silenciosamente, en todos los equipos, durante todo el año.

El caos de contraseñas es la dispersión desorganizada, insegura y costosa de credenciales en una organización — sin gestionar, duplicadas y compartidas a través de canales inseguros. Según el Informe de Investigaciones de Brechas de Datos de Verizon, las contraseñas comprometidas estuvieron involucradas en el 28% de todas las brechas de datos en 2025. La exposición financiera es real: el coste promedio global de una brecha de datos alcanzó los $4.44 millones en 2025 (IBM).

Este artículo analiza por qué el caos de contraseñas persiste a pesar de las políticas de seguridad, qué cuesta realmente en términos de seguridad, productividad y cumplimiento — y cómo solucionarlo de forma estructural, no solo sintomática.

Puntos clave

• Las contraseñas comprometidas están detrás de la mayoría de las brechas — no exploits sofisticados, sino credenciales reutilizadas, compartidas descuidadamente o nunca rotadas.
• Los problemas relacionados con contraseñas consumen una parte desproporcionada de la capacidad de TI — restablecimientos, bloqueos y solicitudes de acceso que no deberían existir en primer lugar.
• Las políticas de contraseñas heredadas empeoran el problema, no lo mejoran — la rotación forzada y las reglas de complejidad impulsan soluciones alternativas que reducen la seguridad real.
• Las credenciales no gestionadas hacen que las auditorías de cumplimiento sean casi imposibles — sin un registro de auditoría centralizado, no hay forma de demostrar quién tuvo acceso a qué.
• La solución es estructural — almacenamiento centralizado, control de acceso basado en roles y un proceso claro de desvinculación eliminan las causas raíz, no solo los síntomas.

Por qué el caos de contraseñas es un asesino silencioso de empresas

El caos de contraseñas es la dispersión descontrolada de credenciales en una organización — almacenadas en hojas de cálculo, compartidas por chat, duplicadas en múltiples sistemas y gestionadas sin un proceso consistente. Es una condición que se agrava con el tiempo, creando exposición simultánea en seguridad, productividad y cumplimiento.

Riesgos de seguridad

Las credenciales no gestionadas no permanecen contenidas. Se dispersan, se debilitan y son explotadas:

• La fatiga de contraseñas impulsa la reutilización. Cuando los empleados gestionan docenas de cuentas, recurren a credenciales familiares y débiles — a menudo la misma contraseña en múltiples sistemas.
• La reutilización permite el credential stuffing a gran escala. Los atacantes toman pares de nombre de usuario y contraseña filtrados de una brecha y automatizan intentos de inicio de sesión en cientos de otros servicios. La investigación de Verizon confirma que las credenciales robadas están vinculadas al 86% de las brechas de seguridad que involucran aplicaciones basadas en web.
• Las credenciales compartidas en canales no controlados crean exposición permanente. Una vez que una contraseña sale de un sistema seguro — vía Slack, correo electrónico o una hoja de cálculo — no hay registro de auditoría ni mecanismo de revocación. Existe en algún lugar que no se puede ver ni controlar.

Riesgos de productividad y operacionales

• El 40% de todas las llamadas al servicio de soporte están relacionadas con contraseñas (Gartner). Eso representa una parte significativa de la capacidad de TI absorbida por un problema con una causa raíz conocida y solucionable.
• Cuando se bloquea el acceso, el trabajo se detiene. El coste indirecto de un ingeniero o analista esperando un restablecimiento — contexto perdido, despliegues retrasados, plazos pospuestos — se suma al coste directo del ticket en sí.
• Las soluciones alternativas se convierten en elementos permanentes. Cuentas compartidas temporales, contraseñas guardadas en el navegador y mensajes fijados en Slack comienzan como atajos y terminan como puntos de acceso no rastreados.

Riesgos de cumplimiento

La dispersión de credenciales hace que el cumplimiento normativo sea más difícil de demostrar y más fácil de incumplir:

• Las credenciales no gestionadas hacen imposible demostrar el control de acceso bajo GDPR, NIS2, SOC 2, HIPAA o ISO 27001. Los auditores no aceptan «creemos que el acceso estaba limitado» — requieren evidencia.
• Sin un registro de auditoría centralizado, no hay constancia de quién tuvo acceso a qué y cuándo. Esa brecha es tanto un fallo de cumplimiento como un punto ciego forense durante la respuesta a incidentes.
• La desvinculación sin rotación de credenciales deja el acceso abierto indefinidamente. Exempleados, contratistas y proveedores mantienen acceso a los sistemas mucho después de que termine su compromiso.

El efecto acumulativo

Cada dimensión de riesgo amplifica las otras. Una contraseña reutilizada se convierte en un vector de credential stuffing. Una credencial comprometida elude los controles de acceso. Un control eludido no deja rastro de auditoría. Para cuando se detecta la brecha, el daño ya está hecho. El caos de contraseñas es una condición sistémica que requiere una respuesta sistémica.

El caos de contraseñas en la práctica

El caos de contraseñas rara vez se anuncia como un evento de seguridad. Parece un martes rutinario.

Una empresa SaaS mediana ejecuta su infraestructura en AWS, tres herramientas internas, un CRM y un entorno de staging compartido por el equipo de desarrollo. Las credenciales se gestionan como siempre se ha hecho: una hoja de cálculo compartida en Google Drive, algunas entradas fijadas en un canal de Slack del equipo y un puñado de contraseñas que existen solo en la memoria de un ingeniero senior.

Así es como se ve:

• Semana 1. Un nuevo contratista se une al equipo de backend. Alguien comparte la contraseña de la base de datos de staging por mensaje directo de Slack. El contratista termina su compromiso seis semanas después. Nadie rota la credencial. Sigue siendo válida.
• Semana 3. El proveedor del CRM fuerza un restablecimiento de contraseña. El líder del equipo actualiza la hoja de cálculo. Dos desarrolladores se pierden la actualización por completo y pasan la mayor parte de una mañana solucionando lo que asumen es un problema de API. Se retrasa un lanzamiento.
• Semana 5. Un ingeniero senior toma dos semanas de vacaciones. Tres sistemas necesitan acceso durante ese tiempo. Alguien encuentra una solución alternativa: se crea una segunda cuenta con derechos de administrador. No se eliminará durante cuatro meses.
• Semana 7. Un desarrollador deja la empresa. RRHH notifica a TI. TI desactiva la cuenta de Active Directory. Nadie verifica a qué credenciales compartidas tenía acceso el desarrollador — el entorno de staging, la cuenta de prueba de AWS, la herramienta de monitorización interna. Las tres siguen siendo accesibles con esas credenciales.
• Semana 9. Una auditoría de TI señala la hoja de cálculo compartida de Google Drive como una brecha de cumplimiento antes de una revisión de SOC 2. El equipo de seguridad pasa tres días mapeando manualmente quién tuvo acceso a qué credenciales, cuándo y si alguna ha sido rotada desde la última salida de un empleado. Varias no lo han sido.
• Semana 10. Un ataque de phishing compromete la cuenta de Google de un empleado. El atacante ahora tiene acceso de lectura a la hoja de cálculo de credenciales. El equipo no lo sabe durante 19 días.

La mayoría de los eventos anteriores tenían una explicación razonable: un contratista necesitaba acceso, alguien estaba de vacaciones. La semana 10 es donde esas explicaciones se agotan. También es completamente predecible — cada brecha que se acumuló durante las nueve semanas anteriores seguía abierta cuando llegó el atacante.

El caos no se construye dramáticamente. Se acumula silenciosamente, una solución alternativa a la vez.

El caos de contraseñas cuesta más de lo que la mayoría de los equipos creen. Passwork ofrece a los equipos de TI una bóveda estructurada con acceso basado en roles y un registro de auditoría completo — desplegado completamente dentro de su propia infraestructura. Vea cómo funciona

Por qué las políticas tradicionales de contraseñas están fallando en 2026

Las políticas de contraseñas heredadas fueron diseñadas para un modelo de amenazas diferente. Rotación obligatoria cada 30 días, reglas de complejidad que requieren símbolos y números, y prohibición de reutilización — estas reglas tenían buenas intenciones, pero se ha demostrado que aumentan el riesgo en lugar de reducirlo.

Las directrices actuales de NIST (SP 800-63B) recomiendan explícitamente no realizar cambios periódicos obligatorios de contraseñas a menos que haya evidencia de compromiso. La rotación forzada conduce a patrones predecibles: Password1! se convierte en Password2! en el siguiente ciclo. Los usuarios anotan las contraseñas. La reutilización aumenta.

El resultado de las políticas obsoletas: los empleados las eluden, la seguridad se debilita y los equipos de TI pasan tiempo aplicando reglas que no reducen el riesgo real.

Cómo solucionar el caos de contraseñas definitivamente: el plan de 4 pasos

Solucionar el caos de contraseñas requiere un enfoque estructurado y un cambio deliberado en cómo se crean, almacenan, comparten y revocan las credenciales en toda la organización.

1. Audite su panorama actual de credenciales

Mapee cada sistema, aplicación y cuenta compartida. Identifique las credenciales almacenadas fuera de una bóveda segura: hojas de cálculo, hilos de correo electrónico, registros de chat, contraseñas guardadas en el navegador. Cuantifique la exposición antes de intentar solucionarla.

2. Centralice en una bóveda segura

Mueva todas las credenciales a un gestor de contraseñas centralizado con almacenamiento cifrado. Para organizaciones en industrias reguladas o con requisitos estrictos de residencia de datos, un despliegue on-premise o autoalojado mantiene todos los datos dentro del perímetro de la empresa — sin dependencia de la nube de terceros.

3. Aplique control de acceso con RBAC

El control de acceso basado en roles (RBAC) garantiza que los empleados accedan solo a las credenciales que su rol requiere. Cuando alguien deja la organización, el acceso se revoca inmediatamente — y el sistema marca todas las credenciales a las que tenía acceso para rotación.

4. Automatice con MFA e integraciones

Requiera autenticación multifactor (MFA) para el acceso a la bóveda. Integre con su servicio de directorio existente vía LDAP o Active Directory para sincronizar usuarios y grupos automáticamente. Use el acceso API para integrar la gestión de credenciales en pipelines CI/CD y flujos de trabajo DevOps.

Por qué Passwork es la opción adecuada para el control empresarial

Passwork es un gestor de contraseñas on-premise diseñado para empresas que requieren control total sobre sus datos de credenciales. Cada dato permanece dentro de la propia infraestructura de la empresa y poner en marcha a su equipo lleva minutos, no semanas.

Crear y compartir contraseñas sin fricción

La mayoría del caos de credenciales no comienza con una brecha. Comienza con un empleado pegando una contraseña en Slack porque no había una opción más rápida. Passwork elimina esa tentación haciendo que el camino seguro sea el fácil.

Almacenar contraseñas

Añadir una contraseña lleva segundos: complete los campos, adjunte etiquetas o etiquetas de color para un filtrado rápido y guárdela en la carpeta correspondiente. La estructura de carpetas refleja cómo trabajan realmente los equipos — organizado por proyecto, entorno, departamento o cliente. Los empleados encuentran lo que necesitan mediante búsqueda o etiquetas.

Compartir acceso

¿Necesita compartir acceso con un colega o un equipo completo? Invítelos a una carpeta compartida — obtienen acceso a todas las credenciales dentro de ella, al nivel de permiso que usted defina. Para casos puntuales, envíe una credencial directamente a otro usuario.

Incorporación y desvinculación

Cuando alguien se une a un proyecto, añádalo a la bóveda o carpeta. Cuando deja la empresa, Passwork marca automáticamente cada credencial a la que tenía acceso como potencialmente comprometida y solicita al equipo que las rote.

Acceso en dispositivos y flujos de trabajo

Las extensiones de navegador y las aplicaciones móviles mantienen las contraseñas accesibles en todos los dispositivos — el autocompletado se encarga del resto. Para los equipos de DevOps, la CLI y el SDK de Python llevan el mismo acceso directamente a los flujos de trabajo de terminal y scripts.

La ventaja on-premise

Para organizaciones en finanzas, gobierno, salud y otros sectores regulados, mantener los datos de credenciales dentro del perímetro de la empresa es un requisito estricto — no una preferencia. Passwork se ejecuta en los propios servidores de la organización (Linux o Windows, con o sin Docker), cifrado con AES-256 tanto en el lado del servidor como del cliente. La arquitectura de conocimiento cero significa que ni siquiera el propio equipo de Passwork puede acceder a sus datos.

Passwork elimina esa dependencia por completo. La aplicación se ejecuta en los propios servidores de la organización (Linux o Windows, con o sin Docker), cifrada con AES-256 tanto en el lado del servidor como del cliente. La arquitectura de conocimiento cero significa que ni siquiera el propio equipo de Passwork puede acceder a sus datos.

Capacidades clave para equipos de TI y seguridad

• Integración LDAP/AD y SAML SSO — sincronice usuarios y grupos desde su servicio de directorio; autentique a través de su proveedor de identidad existente.
• Control de acceso basado en roles — permisos granulares a nivel de usuario y grupo; tipos de bóveda personalizados con asignación automática de administrador.
• Registro de auditoría completo — cada acción dentro del sistema se registra y es reportable, cumpliendo con los requisitos de SOC 2, ISO 27001 y políticas de seguridad internas.
• Gestión de secretos — almacene claves API, tokens de acceso, credenciales de bases de datos, claves SSH, certificados TLS y credenciales de cuentas de servicio junto con las contraseñas de usuario en una bóveda unificada.
• Panel de seguridad de contraseñas — marca credenciales débiles, reutilizadas, desactualizadas y comprometidas en toda la organización.
• Código fuente auditable — las organizaciones pueden realizar su propia auditoría de seguridad del código base de Passwork para verificar que no hay vulnerabilidades antes del despliegue.

Passwork cuenta con certificación ISO/IEC 27001, confirmando un enfoque sistemático y auditado de la gestión de seguridad de la información.

Conclusión

El caos de contraseñas es una responsabilidad financiera y de seguridad — y completamente prevenible. El ticket de restablecimiento de $70, la brecha de $4.44 millones, la auditoría que revela que nadie sabe quién tuvo acceso a qué: nada de esto es inevitable. Son el resultado predecible de tratar las credenciales como algo secundario.

El patrón es consistente en organizaciones de todos los tamaños. Las contraseñas se comparten a través de canales incorrectos. Las políticas se aplican de manera inconsistente. El acceso se acumula con el tiempo y nunca se limpia. Alguien se va, y nadie rota las credenciales que tocó. Cada brecha es pequeña por sí sola. Juntas, crean las condiciones para una violación — o un fallo de cumplimiento igual de costoso.

La solución es un cambio estructural: almacenamiento centralizado, acceso definido, un registro de auditoría completo y un proceso que haga que la opción segura sea la predeterminada — no la inconveniente.

Passwork está diseñado para hacer ese cambio sencillo. Ya sea que despliegue en su propia infraestructura o en la nube, su equipo obtiene una bóveda estructurada, acceso basado en roles y la visibilidad para saber exactamente quién puede acceder a qué — antes de que algo salga mal.

¿Listo para reemplazar la dispersión de credenciales con un control estructurado? Pruebe Passwork en su propia infraestructura — nuestro equipo le asistirá con la instalación y configuración. Solicite una demostración gratuita

FAQ: domando el caos de credenciales

¿Cómo se gestionan las contraseñas de un equipo sin compartirlas de forma insegura?

Use un gestor de contraseñas centralizado con control de acceso basado en roles. Cada miembro del equipo accede solo a las credenciales asignadas a su rol — sin necesidad de compartir directamente. Las bóvedas compartidas con permisos granulares reemplazan las hojas de cálculo y la distribución de credenciales basada en chat. Cuando alguien se va, su acceso se revoca y las credenciales afectadas se marcan para rotación automáticamente.

¿Es seguro almacenar contraseñas empresariales en un navegador?

No. Las contraseñas almacenadas en el navegador no ofrecen control de acceso, ni registro de auditoría, ni cifrado más allá del propio modelo de seguridad del navegador. Se sincronizan entre dispositivos a través de cuentas en la nube que pueden no cumplir con los estándares de seguridad empresarial. Un compromiso del navegador expone todas las credenciales guardadas simultáneamente.

¿Qué es el credential stuffing y cómo lo previene un gestor de contraseñas?

El credential stuffing es un ataque donde los pares de nombre de usuario/contraseña robados de una brecha se prueban automáticamente en otros servicios. Tiene éxito debido a la reutilización de contraseñas. Un gestor de contraseñas genera y almacena credenciales únicas y fuertes para cada cuenta, eliminando la reutilización que hace efectivo el credential stuffing. Combinado con MFA, elimina el vector de ataque principal.

¿Cómo apoya un gestor de contraseñas el cumplimiento de GDPR y SOC 2?

Un gestor de contraseñas con registro de auditoría completo, RBAC y despliegue on-premise apoya directamente los requisitos de cumplimiento. GDPR requiere control demostrable sobre quién accede a los datos personales. SOC 2 requiere evidencia de gestión y monitorización del acceso. Un registro de auditoría con seguimiento de actividad a nivel de usuario proporciona la documentación que los auditores necesitan — y la visibilidad que los equipos de seguridad necesitan para actuar ante anomalías.

¿Qué sucede con las credenciales compartidas cuando un empleado se va?

En Passwork, la desvinculación activa una revocación inmediata del acceso. El sistema identifica todas las credenciales a las que el empleado saliente tenía acceso y las marca como potencialmente comprometidas, solicitando al equipo que las rote. Sin un sistema centralizado, este proceso es manual, propenso a errores y a menudo incompleto.

¿Un gestor de contraseñas elimina la necesidad de MFA?

No — y no debería. Un gestor de contraseñas asegura el almacenamiento y acceso de credenciales; MFA asegura la autenticación. Abordan superficies de ataque diferentes. Una contraseña fuerte y única previene el credential stuffing; MFA previene el acceso no autorizado incluso cuando una contraseña está comprometida. Los dos controles son complementarios, no intercambiables.

¿Cuánto tiempo lleva desplegar un gestor de contraseñas en toda una organización?

Una solución autoalojada como Passwork puede desplegarse en la infraestructura existente — Linux o Windows, con o sin Docker — en menos de una hora. La integración con LDAP y Active Directory sincroniza usuarios y grupos automáticamente, por lo que no es necesario aprovisionar cuentas manualmente. La mayoría de los equipos están completamente operativos en un día desde el despliegue.

What is password reuse and why is it a major security risk?

Password reuse puts 88% of breaches at risk. Learn why using the same password across accounts is dangerous and how to break the habit today.

Passwork BlogEirik Salmi

Passwork 7.6 release: Service accounts

The latest Passwork release adds service accounts with multi-token API support, saved filters, mobile web UI, and automatic Bin cleanup. See what changed.

Passwork BlogEirik Salmi

Is NIS2 passwordless authentication required for compliance?

NIS2 Article 21(2)(j) mandates MFA "where appropriate" — not passwordless by default. Learn what ENISA guidance actually requires, how auditors evaluate your implementation, and how to build a defensible hybrid compliance posture for 2026.

Passwork BlogAlex Muntyan

Introduction

It's Monday morning. A developer can't log in to the production database. The password was rotated last week, the update never reached the shared spreadsheet, and the system is down. Someone opens a help desk ticket. IT engineers drops what they're doing. Forty minutes later, the crisis is resolved.

The bill: $70 — one ticket, one engineer, one frustrated developer who produced nothing for the better part of an hour.

Multiply that by every forgotten, expired, or miscommunicated credential across your organization, and password chaos stops being an IT annoyance and starts looking like a balance sheet problem.

And the ticket is just the visible part. It doesn't count the developer's lost context after an interrupted morning, the deployment that slipped, or the client call that got pushed. It bleeds quietly, across every team, all year long.

Password chaos is the disorganized, insecure, and costly sprawl of credentials across an organization — unmanaged, duplicated, and shared through unsafe channels. According to the Verizon Data Breach Investigations Report, compromised passwords were involved in 28% of all data breaches in 2025. The financial exposure is real: the global average cost of a data breach reached $4.44 million in 2025, (IBM).

This article breaks down why password chaos persists despite security policies, what it actually costs across security, productivity, and compliance — and how to fix it structurally, not just symptomatically.

Key takeaways

• Compromised passwords are behind the majority of breaches — not sophisticated exploits, but credentials that were reused, shared carelessly, or never rotated.
• Password-related issues consume a disproportionate share of IT capacity — resets, lockouts, and access requests that shouldn't exist in the first place.
• Legacy password policies make the problem worse, not better — forced rotation and complexity rules drive workarounds that reduce actual security.
• Unmanaged credentials make compliance audits nearly impossible — without a centralized audit log, there's no way to prove who had access to what.
• The fix is structural — centralized storage, role-based access control, and a clear offboarding process eliminate the root causes, not just the symptoms.

Why password chaos is a silent business killer

Password chaos is the uncontrolled sprawl of credentials across an organization — stored in spreadsheets, shared over chat, duplicated across systems, and managed without a consistent process. It's a condition that compounds over time, creating simultaneous exposure across security, productivity, and compliance.

Security risks

Unmanaged credentials don't stay contained. They spread, weaken, and get exploited:

• Password fatigue drives reuse. When employees manage dozens of accounts, they default to familiar, weak credentials — often the same password across multiple systems.
• Reuse enables credential stuffing at scale. Attackers take leaked username and password pairs from one breach and automate login attempts across hundreds of other services. Verizon's research confirms that stolen credentials are tied to 86% of security breaches involving web-based applications.
• Shared credentials in uncontrolled channels create permanent exposure. Once a password leaves a secure system — via Slack, email, or a spreadsheet — there's no audit trail and no revocation mechanism. It exists somewhere you can't see or control.

Productivity and operational risks

• 40% of all help desk calls are password-related (Gartner). That's a significant share of IT capacity absorbed by a problem with a known, solvable root cause.
• When access is blocked, work stops. The downstream cost of an engineer or analyst waiting for a reset — lost context, delayed deployments, pushed deadlines — compounds the direct cost of the ticket itself.
• Workarounds become permanent fixtures. Temporary shared accounts, browser-saved passwords, and pinned Slack messages start as shortcuts and end as untracked access points.

Compliance risks

Credential sprawl makes regulatory compliance harder to demonstrate and easier to fail:

• Unmanaged credentials make access control impossible to prove under GDPR, NIS2, SOC 2, HIPAA, or ISO 27001. Auditors don't accept "we think access was limited" — they require evidence.
• Without a centralized audit log, there's no record of who had access to what and when. That gap is both a compliance failure and a forensic blind spot during incident response.
• Offboarding without credential rotation leaves access open indefinitely. Former employees, contractors, and vendors retain access to systems long after their engagement ends.

The compounding effect

Each risk dimension amplifies the others. A reused password becomes a credential stuffing vector. A stuffed credential bypasses access controls. A bypassed control leaves no audit trail. By the time the breach is detected the damage is already done. Password chaos is a systemic condition that requires a systemic response.

Password chaos in practice

Password chaos rarely announces itself as a security event. It looks like a routine Tuesday.

A mid-size SaaS company runs its infrastructure across AWS, three internal tools, a CRM, and a staging environment shared by the dev team. Credentials are managed the way they always have been: a shared spreadsheet on Google Drive, a few pinned entries in a team Slack channel, and a handful of passwords that exist only in one senior engineer's memory.

Here's what it looks like:

• Week 1. A new contractor joins the backend team. Someone shares the staging database password over Slack DM. The contractor finishes the engagement six weeks later. No one rotates the credential. It stays valid.
• Week 3. The CRM vendor forces a password reset. The team lead updates the spreadsheet. Two developers miss the update entirely and spend the better part of a morning troubleshooting what they assume is an API issue. A release gets pushed.
• Week 5. A senior engineer takes two weeks of leave. Three systems need access during that time. Someone finds a workaround: a second account gets created with admin rights. It won't be removed for four months.
• Week 7. A developer leaves the company. HR notifies IT. IT disables the Active Directory account. Nobody checks which shared credentials the developer had access to — the staging environment, the AWS test account, the internal monitoring tool. All three remain accessible under those credentials.
• Week 9. An IT audit flags the shared Google Drive spreadsheet as a compliance gap ahead of a SOC 2 review. The security team spends three days manually mapping who had access to which credentials, when, and whether any have been rotated since the last employee departure. Several haven't.
• Week 10. A phishing attack compromises one employee's Google account. The attacker now has read access to the credential spreadsheet. The team doesn't know this for 19 days.

Most of the earlier events had a reasonable explanation: a contractor needed access, someone was on leave. Week 10 is where those explanations run out. It's also entirely predictable — every gap that accumulated over the previous nine weeks was still open when the attacker arrived.

The chaos doesn't build dramatically. It accumulates quietly, one workaround at a time.

Password chaos costs more than most teams realize. Passwork gives IT teams a structured vault with role-based access and a full audit log — deployed entirely within your own infrastructure. See how it works

Why traditional password policies are failing in 2026

Legacy password policies were designed for a different threat model. Mandatory 30-day rotation, complexity rules requiring symbols and numbers, and prohibition of reuse — these rules were well-intentioned, but they've been shown to increase risk rather than reduce it.

NIST's current guidelines (SP 800-63B) explicitly recommend against mandatory periodic password changes unless there's evidence of compromise. Forced rotation leads to predictable patterns: Password1! becomes Password2! on the next cycle. Users write passwords down. Reuse increases.

The result of outdated policies: employees work around them, security weakens, and IT teams spend time enforcing rules that don't reduce actual risk.

How to fix password chaos for good: the 4-step blueprint

Fixing password chaos requires a structured approach and a deliberate change to how credentials are created, stored, shared, and revoked across the organization.

1. Audit your current credential landscape

Map every system, application, and shared account. Identify credentials stored outside a secure vault: spreadsheets, email threads, chat logs, browser-saved passwords. Quantify exposure before attempting to fix it.

2. Centralize into a secure vault

Move all credentials into a centralized password manager with encrypted storage. For organizations in regulated industries or with strict data residency requirements, an on-premise or self-hosted deployment keeps all data within the company perimeter — no third-party cloud dependency.

3. Enforce access control with RBAC

Role-based access control (RBAC) ensures that employees access only the credentials their role requires. When someone leaves the organization, access is revoked immediately — and the system flags all credentials they had access to for rotation.

4. Automate with MFA and integrations

Require multi-factor authentication (MFA) for vault access. Integrate with your existing directory service via LDAP or Active Directory to synchronize users and groups automatically. Use API access to embed credential management into CI/CD pipelines and DevOps workflows.

Why Passwork is the right fit for enterprise control

Passwork is an on-premise password manager built for businesses that require full control over their credential data. Every piece of data stays within the company's own infrastructure and getting your team up and running takes minutes, not weeks.

Creating and sharing passwords without the friction

Most credential chaos doesn't start with a breach. It starts with an employee pasting a password into Slack because there was no faster option. Passwork removes that temptation by making the secure path the easy one.

Storing passwords

Adding a password takes seconds: fill in the fields, attach tags or color labels for quick filtering, and save it to the relevant folder. he folder structure mirrors how teams actually work — organized by project, environment, department, or client. Employees find what they need through search or tags.

Sharing access

Need to share access with a colleague or an entire team? Invite them to a shared folder — they get access to every credential inside it, at the permission level you define. For one-off cases, send a credential directly to another user.

Onboarding and offboarding

When someone joins a project, add them to the vault or folder. When they leave the company, Passwork automatically flags every credential they had access to as potentially compromised and prompts the team to rotate them.

Access across devices and workflows

Browser extensions and mobile apps keep passwords accessible across devices — autofill handles the rest. For DevOps teams, the CLI and Python SDK bring the same access directly into terminal workflows and scripts.

The on-premise advantage

For organizations in finance, government, healthcare, and other regulated sectors, keeping credential data within the company perimeter is a hard requirement — not a preference. Passwork runs on the organization's own servers (Linux or Windows, with or without Docker), encrypted with AES-256 on both server and client sides. Zero-knowledge architecture means that even Passwork's own team cannot access your data.

Passwork eliminates that dependency entirely. The application runs on the organization's own servers (Linux or Windows, with or without Docker), encrypted with AES-256 on both server and client sides. Zero-knowledge architecture means that even Passwork's own team cannot access your data.

Key capabilities for IT and security teams

• LDAP/AD integration and SAML SSO — synchronize users and groups from your directory service; authenticate through your existing identity provider.
• Role-based access control — granular permissions at the user and group level; custom vault types with automatic administrator assignment.
• Full audit log — every action within the system is logged and reportable, supporting SOC 2, ISO 27001, and internal security policy requirements.
• Secrets management — store API keys, access tokens, database credentials, SSH keys, TLS certificates, and service account credentials alongside user passwords in a unified vault.
• Password security dashboard — flags weak, reused, outdated, and compromised credentials across the entire organization.
• Auditable source code — organizations can conduct their own security audit of the Passwork codebase to verify there are no vulnerabilities before deployment.

Passwork holds ISO/IEC 27001 certification, confirming a systematic, audited approach to information security management.

Conclusion

Password chaos is a financial and security liability — and an entirely preventable one. The $70 reset ticket, the $4.44 million breach, the audit that reveals no one knows who had access to what: none of these are inevitable. They're the predictable outcome of treating credentials as an afterthought.

The pattern is consistent across organizations of every size. Passwords get shared through the wrong channels. Policies get enforced inconsistently. Access accumulates over time and never gets cleaned up. Someone leaves, and no one rotates the credentials they touched. Each gap is small on its own. Together, they create the conditions for a breach — or a compliance failure that's just as costly.

The fix is a structural change: centralized storage, defined access, a full audit trail, and a process that makes the secure option the default one — not the inconvenient one.

Passwork is built to make that change straightforward. Whether you deploy on your own infrastructure or in the cloud, your team gets a structured vault, role-based access, and the visibility to know exactly who can reach what — before something goes wrong.

Ready to replace credential sprawl with structured control? Try Passwork on your own infrastructure — our team will assist with installation and configuration. Request a free demo

FAQ: taming the credential chaos

How do you manage passwords for a team without sharing them insecurely?

Use a centralized password manager with role-based access control. Each team member accesses only the credentials assigned to their role — no direct sharing required. Shared vaults with granular permissions replace spreadsheets and chat-based credential distribution. When someone leaves, their access is revoked and affected credentials are flagged for rotation automatically.

Is it safe to store business passwords in a browser?

No. Browser-stored passwords offer no access control, no audit trail, and no encryption beyond the browser's own security model. They sync across devices through cloud accounts that may not meet enterprise security standards. A browser compromise exposes every saved credential simultaneously.

What is credential stuffing and how does a password manager prevent it?

Credential stuffing is an attack where stolen username/password pairs from one breach are automatically tested against other services. It succeeds because of password reuse. A password manager generates and stores unique, strong credentials for every account, eliminating the reuse that makes credential stuffing effective. Combined with MFA, it removes the primary attack vector.

How does a password manager support GDPR and SOC 2 compliance?

A password manager with a full audit log, RBAC, and on-premise deployment directly supports compliance requirements. GDPR requires demonstrable control over who accesses personal data. SOC 2 requires evidence of access management and monitoring. An audit log with user-level activity tracking provides the documentation auditors need — and the visibility security teams need to act on anomalies.

What happens to shared credentials when an employee leaves?

In Passwork offboarding triggers an immediate access revocation. The system identifies all credentials the departing employee had access to and marks them as potentially compromised, prompting the team to rotate them. Without a centralized system, this process is manual, error-prone, and often incomplete.

Does a password manager eliminate the need for MFA?

No — and it shouldn't. A password manager secures credential storage and access; MFA secures authentication. They address different attack surfaces. A strong, unique password prevents credential stuffing; MFA prevents unauthorized access even when a password is compromised. The two controls are complementary, not interchangeable.

How long does it take to deploy a password manager across an organization?

A self-hosted solution like Passwork can be deployed on existing infrastructure — Linux or Windows, with or without Docker — in under an hour. LDAP and Active Directory integration synchronizes users and groups automatically, so there's no need to provision accounts manually. Most teams are fully operational within a day of deployment.

What is password reuse and why is it a major security risk?

Password reuse puts 88% of breaches at risk. Learn why using the same password across accounts is dangerous and how to break the habit today.

Passwork BlogEirik Salmi

Passwork 7.6 release: Service accounts

The latest Passwork release adds service accounts with multi-token API support, saved filters, mobile web UI, and automatic Bin cleanup. See what changed.

Passwork BlogEirik Salmi

Is NIS2 passwordless authentication required for compliance?

NIS2 Article 21(2)(j) mandates MFA “where appropriate” — not passwordless by default. Learn what ENISA guidance actually requires, how auditors evaluate your implementation, and how to build a defensible hybrid compliance posture for 2026.

Passwork BlogAlex Muntyan

Password fatigue is real — and it's costing organizations more than they realize. Picture this: an employee sits down Monday morning, opens their laptop, and gets hit with a forced password reset prompt. They've already changed it twice this quarter. They type something like Summer2025!, click through, and move on. Your policy box is checked. Your security posture just got worse.

This isn't a user problem. It's a design problem. When password security feels like punishment, people route around it. Research confirms the pattern: a large-scale analysis of 19 billion passwords leaked between 2024 and 2025 found that 94% were reused or duplicated across multiple accounts — only 6% were unique.

Stolen credentials are now the initial access vector in 22% of all confirmed breaches, according to the 2025 Verizon Data Breach Investigations Report. Meanwhile, 40% of IT help desk calls are password-related, each reset costing an average of $70 in direct support time.

The good news: security that works with human behavior outperforms security that fights it. Here are five concrete strategies to shift your organization from password frustration to password culture.

1. Reframe your password policy around user experience

The single most impactful change most organizations can make costs nothing: update the policy itself.

Drop complexity theater, embrace length

NIST SP 800-63B Revision 4 (published July 2025) explicitly discourages mandatory complexity rules. The research behind this is straightforward: complexity rules produce predictable patterns. P@$$w0rd! is not a strong password. correct-horse-battery-staple is. NIST now recommends a minimum of 8 characters as a floor, encourages 15+ characters for single-factor authentication, and requires systems to accept up to 64 characters.

Introduce passphrases

A passphrase — three or four unrelated words strung together — is both easier to remember and harder to crack than a short complex string. Train users on this format and watch resistance drop. When people can actually remember their credentials, they stop writing them on sticky notes.

Kill arbitrary expiration

Forced rotation every 60 or 90 days is one of the biggest drivers of weak passwords. NIST SP 800-63B-4 is explicit: periodic rotation should not be required unless there is evidence of compromise. Move to a compromise-triggered model — check credentials against breach databases and prompt resets only when a credential is confirmed exposed.

Add real-time strength feedback

A password strength meter during creation gives users immediate, actionable guidance. It turns a compliance hurdle into a brief interaction. Small UX detail, measurable impact.

2. Make password managers effortless and essential

Only around 30% of internet users currently use a password manager. In an enterprise context, that gap represents thousands of credentials stored in browsers, spreadsheets, or memory — all of them vulnerable.

The case for enterprise password management goes beyond security. It's a productivity argument. When employees aren't hunting for credentials, resetting forgotten passwords, or waiting on IT support, they work faster.

Start at onboarding

The easiest time to establish a habit is before a competing habit exists. Integrate the password manager into day-one setup — alongside email configuration and VPN access. If it's part of the standard stack from the start, it's never an "extra step."

Get leadership to use it visibly

Adoption follows behavior, not mandates. When a CTO or IT director references the password manager in a team meeting, or a security officer shares a vault item during a workflow, it signals that this is how the organization actually operates.

Expand the use case

Password managers aren't just for login credentials. Secure storage for Wi-Fi passwords, software license keys, API tokens, and shared service accounts makes the tool genuinely useful — not just a compliance checkbox. The broader the utility, the stronger the adoption.

Passwork is built specifically for this context: team-based credential management with role-based access, audit logs, and the ability to share secrets securely across departments without exposing them in email or chat.

3. Gamify security training and celebrate success

Most IT managers identify employee motivation as the biggest obstacle to implementing security protocols. Security leaders consistently point to a lack of accountability as the top barrier to engagement in training programs. Traditional compliance training — annual video modules, checkbox quizzes — doesn't move either needle.

Use game mechanics deliberately

Points, badges, team leaderboards, and progress tracking tap into the same psychological drivers as any well-designed app. When security training feels like a game rather than a chore, completion rates and retention both improve. Several platforms now offer this natively; the investment is modest compared to the cost of a single phishing incident.

Reframe phishing simulations

The standard approach — send a fake phishing email, shame the people who click — creates anxiety without building skill. A better model: when someone clicks, give them immediate, non-punitive feedback explaining exactly what the red flags were. Pair it with a short interactive lesson. Turn the failure into a learning moment rather than a gotcha.

Build a security champion network

Identify engaged employees across departments — not just IT — and give them a formal role as security advocates. They answer peer questions, surface concerns early, and extend your security team's reach without adding headcount. People take advice from colleagues they trust more readily than from policy documents.

Recognize good behavior publicly

When a team member reports a suspicious email, flags a potential breach, or completes advanced security training, acknowledge it. A brief mention in a team meeting or an internal channel costs nothing and reinforces the behavior you want to see more of.

4. Personalize security and make it relevant

Generic security messaging lands with generic results. The more relevant the training, the more it sticks.

Connect work habits to personal protection

Most employees don't compartmentalize their digital behavior perfectly. The password habits they develop at work carry over to personal accounts — and vice versa. Frame security training as something that protects their own data, their families, and their finances. Self-interest is a stronger motivator than corporate policy.

Tailor training by role

A finance team member faces different threats than a developer or a customer support agent. Role-based training that addresses the specific risks and access patterns of each group is more credible and more actionable than one-size-fits-all modules. It also signals that the organization has thought carefully about the actual threat landscape rather than just checking a compliance box.

Use real stories, not abstract statistics

"Credential stuffing attacks increased 45% year-over-year" is forgettable. A brief case study about a company similar to yours — what happened, how it started, what it cost — is not. Concrete narratives activate attention in a way that data tables don't.

Build a no-blame culture

If employees fear punishment for mistakes, they hide them. A security incident reported immediately is manageable; one that surfaces three weeks later after someone was too afraid to speak up is a crisis. Make it explicit and consistent: reporting a mistake is the right behavior, and it will be treated as such.

This is also directly relevant to GDPR compliance — timely incident reporting is a legal obligation under Article 33, which requires notification to supervisory authorities within 72 hours of becoming aware of a breach.

5. Embrace the passwordless future, today

Passwords are not going away overnight. But the trajectory is clear, and forward-looking organizations are already moving.

Understand passkeys

A passkey replaces the traditional password with a cryptographic key pair: a private key stored on the user's device, a public key registered with the service. Authentication happens via biometrics or device PIN — no password to remember, no password to steal, no password to reuse. The adoption numbers signal where this is heading: over 800 million Google accounts and 175 million Amazon users have already created passkeys.

Start with a pilot

You don't need to rearchitect your entire identity stack to begin. Pick one internal application with a high login frequency — a project management tool, an internal wiki, a developer portal — and run a passkey pilot with a volunteer group. Gather feedback, measure support ticket volume, and build the case for broader rollout.

MFA remains non-negotiable in the interim

Even with strong passwords and a password manager in place, MFA is the most effective single control against credential-based attacks. Adoption in large enterprises sits at around 87%, but drops to roughly 34% in small and mid-sized businesses. If your organization is in that gap, closing it is the highest-priority action on this list.

The key to adoption: choose MFA methods that fit how people actually work. Push notifications and authenticator apps have significantly lower friction than SMS codes; hardware keys are the strongest option for privileged accounts.

For a deeper look at how to structure your password policy around these principles — including NIST alignment and enforcement mechanisms — the Passwork blog has a dedicated guide.

Conclusion

The five strategies above share a common logic: security that respects how people actually behave produces better outcomes than security that demands they behave differently.

Updating your password policy to align with NIST SP 800-63B-4, deploying a password manager with genuine organizational buy-in, making training engaging rather than punitive, personalizing the message to each role, and building toward passwordless authentication — none of these require a large budget. They require a shift in framing.

Users don't resist security. They resist friction, confusion, and the feeling that policies exist to inconvenience them rather than protect them. Remove those barriers, and you'll find that most people are willing participants in building a stronger security culture.

Start with one strategy this quarter. Measure the impact. Build from there.

Frequently Asked Questions

What is a passkey? Guide to passwordless authentication

A passkey is a phishing-resistant credential stored on your device. Sign in with a biometric tap — no password to remember or steal. This guide covers the technical mechanics, platform setup, real-world performance data, and what the transition means for enterprise teams.

Passwork BlogAlex Muntyan

Enterprise password management: The B2B Guide to Deployment, Security & Implementation (2026)

A comprehensive guide for B2B leaders on enterprise password management. Explore deployment options (cloud, on-premise, hybrid), security architecture, and implementation best practices.

Passwork BlogAlex Muntyan

What is password management?

Learn what password management is, why it matters, and how it protects your accounts with encryption, secure storage, and access control.

Passwork BlogEirik Salmi

Password management is the practice of securely creating, storing, organizing, and controlling access to passwords and other authentication credentials. It combines human processes with specialized software tools to ensure that every account uses a strong, unique password without requiring users to memorize them all.

Whether you're an individual trying to secure your online life or an IT administrator protecting your organization's digital assets, understanding password management is essential.

This guide explains everything you need to know: what password management is, why it matters, how it works, and how to implement it effectively. You'll learn about different types of password managers, key features to look for, and best practices that protect you from the most common security threats.

Understanding password management

At its core, password management addresses a fundamental challenge: humans are terrible at creating and remembering secure passwords. We default to predictable patterns, recycle familiar combinations across accounts, and prioritize convenience over security.

Password management systems compensate for these inherent limitations by assuming the cognitive burden and complexity on our behalf. As both a practice and a technology, password management encompasses several key functions:

• Password generation: Creating strong, random passwords that meet security requirements and resist common attack methods like brute force and dictionary attacks.
• Secure storage: Encrypting and storing passwords in a protected vault that only authorized users can access.
• Organization: Categorizing and managing credentials across hundreds of accounts, making them easy to find when needed.
• Access control: Determining who can access which passwords, particularly important in team and enterprise environments.
• Autofill and automation: Automatically entering credentials into login forms, reducing friction while maintaining security.
• Audit trails: Recording who accessed which credentials and when, allowing security teams to detect suspicious activity, investigate incidents, and maintain compliance with regulatory requirements.

Password management has evolved from rudimentary practices to sophisticated security infrastructure. The first generation of digital password managers introduced basic encryption (like Blowfish algorithm) and centralized storage, addressing immediate security gaps but lacking the granular controls enterprises required.

Modern password management systems represent a fundamental shift: they combine military-grade encryption, zero-knowledge architecture, role-based access controls, and comprehensive audit capabilities. Today's solutions enforce security policies, detect anomalies, integrate with existing infrastructure, and provide the visibility organizations need to maintain compliance and respond to threats in real time.

Why is password management important?

According to Verizon's 2025 Data Breach Investigations Report, stolen credentials served as the initial access vector in 22% of all confirmed breaches, with that figure jumping to 88% for basic web application attacks.

In the first half of 2025 alone, over 8,000 global data breaches exposed approximately 345 million records, demonstrating the persistent and catastrophic scale of credential-based attacks. Behind these statistics lies a fundamental incompatibility between human cognition and modern security demands.

The human factor

Our brains simply weren't designed for this pace of information. Psychological research shows that humans can reliably remember only 7±2 pieces of data in working memory. Yet we're expected to manage hundreds of unique, complex passwords — each a random string of uppercase letters, lowercase letters, numbers, and symbols.

Faced with this impossible task, people develop coping mechanisms that undermine security:

• Predictable patterns: Adding "123" or "!" to meet complexity requirements.
• Password reuse: Over 60% of people reuse passwords across multiple accounts.
• Writing passwords down: Sticky notes on monitors remain surprisingly common.
• Simple passwords: "password," "123456," and "qwerty" still rank among the most common passwords globally.

This behavior isn't laziness. It's a rational response to an overwhelming cognitive burden. Password fatigue is real, and it leads to security shortcuts.

The consequences of poor password hygiene

When password security fails, the consequences cascade:

• For individuals: Identity theft, financial fraud, privacy violations, and the time-consuming process of recovering compromised accounts. The average victim of identity theft spends 200 hours resolving the issue.
• For businesses: Data breaches cost an average of $4.44 million per incident, according to IBM's Cost of a Data Breach Report. Beyond direct financial losses, organizations face regulatory fines, legal liability, reputational damage, and loss of customer trust.
• For IT teams: Password-related help desk tickets consume 20-50% of IT support resources in typical organizations. Every "forgot password" request represents time that could be spent on strategic initiatives.

The benefits of effective password management

Implementing proper password management delivers measurable improvements:

• Enhanced security: Unique, strong passwords for every account eliminate the domino effect of credential reuse. Even if one password is compromised, your other accounts remain secure.
• Reduced cognitive load: You remember one master password instead of hundreds. The mental relief is immediate and significant.
• Time savings: Autofill eliminates the minutes spent typing or resetting passwords. For organizations, this translates to thousands of hours of productivity annually.
• Compliance support: Many regulations (GDPR, HIPAA, SOC 2) require organizations to demonstrate proper credential management. Password managers provide the audit trails and controls needed for compliance.
• Improved user experience: Seamless access to accounts without the friction of password resets or account lockouts.

How does password management work?

Understanding the mechanics of password management helps you appreciate both its security and its usability. Modern password managers balance strong encryption with user-friendly access.

The master password concept

Everything starts with your master password — the single password you need to remember. This password unlocks your encrypted vault containing all your other credentials.

Many users create master passwords using passphrases, random words strung together like correct-horse-battery-staple, which are both secure and memorable.

The XKCD comic that popularized this concept demonstrated a crucial insight: four or five random common words create more entropy (randomness) than a shorter complex password, while being far easier to remember.

The encrypted vault

Your password vault is an encrypted database that stores all your credentials, notes, and other sensitive information. Modern password managers use AES-256 encryption, the same standard used by governments and militaries worldwide.

Here's what makes it secure:

• Encryption at rest: Your data is encrypted before it leaves your device. Even the password manager company cannot read your vault contents.
• Zero-knowledge architecture: The service provider never has access to your master password or unencrypted data. If their servers are breached, your passwords remain protected.
• Encryption in transit: When syncing across devices, your encrypted vault travels through secure channels (TLS/SSL), adding another layer of protection.

The user journey

Here's how password management works in practice:

1. Initial setup: You create your master password, set up your account and security settings — multi-factor authentication, access controls, and vault parameters.
2. Adding passwords: As you log into existing accounts, the password manager detects login forms and offers to save your credentials. You can also manually add passwords or import them from browsers or other password managers.
3. Password generation: When creating new accounts, the password manager generates strong, random passwords according to the site's requirements. You never need to think about password creation again.
4. Autofill: When you visit a login page, the password manager recognizes the site and offers to fill in your credentials. One click, and you're logged in.
5. Syncing: Your encrypted vault syncs across all your devices — phone, tablet, laptop, desktop. Changes made on one device appear everywhere.
6. Secure sharing: When you need to share credentials with family members or team members, the password manager encrypts and transmits them securely, without exposing them in plain text.

Types of password managers

Password managers vary significantly in architecture, security model, and deployment options. Understanding these differences is essential for selecting the right solution.

Browser-based password managers

Built into web browsers like Chrome, Firefox, Safari, and Edge, these password managers offer basic functionality without additional software.

Pros:

• Free and immediately available
• Seamless integration with the browser
• Automatic syncing across devices using the same browser
• No learning curve

Cons:

• Limited to browser-only passwords
• Basic security features compared to dedicated solutions
• Vulnerable if browser account is compromised
• Limited sharing capabilities
• Inconsistent cross-browser functionality

Best for: Casual users with simple needs who primarily use one browser ecosystem.

Standalone password managers

These applications store your encrypted password vault locally on your device rather than in the cloud. Designed for individual use, they prioritize local control over multi-device convenience.

Pros:

• Complete control over your data
• No reliance on cloud services
• Works offline
• Maximum privacy

Cons:

• Manual syncing across devices
• Risk of data loss if device fails without backups
• Less convenient for multi-device users
• Requires more technical knowledge

Best for: Privacy-conscious users, those with limited internet connectivity, or anyone who prefers local data storage.

Cloud-based password managers

The most popular category, these services store your encrypted vault on their servers and sync it across all your devices.

Pros:

• Seamless syncing across unlimited devices
• Accessible from anywhere with internet
• Automatic backups
• Rich feature sets (sharing, auditing, breach monitoring)
• User-friendly interfaces
• Mobile apps with biometric authentication

Cons:

• Requires trust in the service provider
• Subscription costs for premium features
• Dependent on internet connectivity
• Potential target for attackers (though encryption protects data)

Best for: Most individual users, families, and small teams who want convenience and comprehensive features.

Enterprise password managers

Designed for organizations, these solutions add administrative controls, compliance features, integration with corporate systems and are deployed on-premise. This architecture eliminates dependencies on external providers. You define the security perimeter, manage access controls, and maintain complete operational independence.

Pros:

• Complete data sovereignty
• Zero external dependencies or cloud service providers
• Automatic compliance with data residency regulations
• Integration with Active Directory, LDAP, and SSO systems
• Centralized administration with granular policy enforcement
• Role-based access controls and privileged access management
• Comprehensive audit logs and compliance reporting
• Automated onboarding/offboarding workflows
• Protection from provider-side security incidents

Cons:

• Higher upfront infrastructure and licensing costs
• More complex setup and administration
• May require IT expertise
• Organization manages backups and disaster recovery

Best for: Businesses of all sizes, IT teams managing shared credentials, organizations with compliance requirements.

Key features of password managers

Modern password managers offer far more than basic password storage. Understanding these features helps you evaluate solutions and maximize their value.

Core features

• Password generation: Creates strong, random passwords based on customizable criteria (length, character types, symbol inclusion). The best generators create passwords that resist brute force attacks for centuries.
• Secure storage: Encrypted vault for passwords, with many managers also storing secure notes, credit card information, identity documents, and other sensitive data.
• Autofill: Automatically detects login forms and fills credentials with one click or tap. Advanced autofill distinguishes between similar sites to prevent phishing attacks.
• Cross-platform syncing: Keeps your vault synchronized across Windows, macOS, Linux, iOS, Android, and web browsers.
• Browser extensions: Integrations for Chrome, Firefox, Safari, Edge, and other browsers that enable autofill and password capture.
• Mobile apps: Full-featured applications for smartphones and tablets, often with biometric authentication.

Security features

• Multi-factor authentication (MFA): Adds a second verification step beyond your master password. Options include authenticator apps (TOTP), SMS codes, hardware keys (YubiKey), or biometric verification.
• Biometric authentication: Unlock your vault using fingerprint, face recognition, or other biometric methods on supported devices.
• Security dashboard: Analyzes your passwords and identifies:
  • Weak passwords that don't meet security standards
  • Reused passwords across multiple accounts
  • Old passwords that haven't been changed recently
• Zero-knowledge architecture: Ensures that even the password manager company cannot access your unencrypted data.
• Emergency access: Designates trusted contacts who can access your vault after a waiting period if you become incapacitated.

Sharing and collaboration features

• Secure sharing: Share individual passwords or entire folders with family members or team members without exposing passwords in plain text.
• Team accounts: Organize passwords by department, project, or access level with role-based permissions.
• Access controls: Define who can view, use, or modify specific passwords.
• Sharing history: Track when passwords were shared, accessed, or modified.

Advanced features

• Password history: Maintains previous versions of passwords, allowing you to revert if needed.
• Secure notes: Store sensitive information beyond passwords — software licenses, WiFi credentials, server details, recovery codes.
• File attachments: Attach encrypted files to vault items (contracts, certificates, documents).
• API access: For developers and power users, programmatic access to the password manager.
• CLI tools: Command-line interfaces for integrating password management into development workflows.
• Audit logs: Detailed records of all vault activities for security monitoring and compliance.

Password management best practices

Having a password manager is only the first step. Following these best practices ensures you're using it effectively and securely.

1. Create an unbreakable master password

Your master password is the single point of failure for your entire password security. Make it count:

• Use at least 16 characters (longer is better)
• Combine random words into a memorable passphrase
• Avoid personal information (names, dates, addresses)
• Never reuse a password you've used anywhere else

2. Enable multi-factor authentication

Add a second layer of security to your password manager account. Even if someone discovers your master password, they can't access your vault without the second factor. Authenticator apps (Passwork 2FA, Google Authenticator, Authy) are more secure than SMS codes. Hardware security keys (YubiKey) offer the strongest protection.

3. Use unique passwords for every account

This is the fundamental rule of password security. Your password manager makes it effortless — let it generate a unique password for each account. If one site is breached, your other accounts remain secure.

4. Generate long, complex passwords

When creating passwords, maximize length and complexity:

• Aim for 16-20 characters minimum
• Use all character types (uppercase, lowercase, numbers, symbols)
• Let the password manager generate them randomly

5. Conduct regular password audits

Schedule quarterly reviews using your password manager's security dashboard:

• Update weak passwords
• Eliminate reused passwords
• Change old passwords (especially for critical accounts)
• Remove passwords for accounts you no longer use

6. Respond immediately to breach alerts

When your password manager notifies you of a compromised password, change it immediately. Don't wait, breached credentials are often exploited within hours.

7. Organize your vault thoughtfully

Create a logical structure:

• Use folders or tags to categorize passwords (Work, Personal, Finance, etc.)
• Add notes to passwords with security questions, account numbers, or other relevant information
• Mark critical accounts for easy identification

8. Back up your vault regularly

While cloud-based password managers handle backups automatically, consider:

• Exporting an encrypted backup periodically
• Storing the backup in a separate secure location
• Testing your backup to ensure it works

9. Set up emergency access

Designate a trusted person who can access your vault if something happens to you. Most password managers offer emergency access features with configurable waiting periods.

10. Use secure sharing features

When sharing passwords with team members:

• Use the password manager's built-in sharing features
• Never send passwords via email, text, or messaging apps
• Revoke access immediately when no longer needed
• Regularly review who has access to shared passwords

11. Keep your password manager updated

Enable automatic updates to ensure you have the latest security patches and features. This applies to browser extensions, mobile apps, and desktop applications.

12. Avoid common mistakes

• Don't store your master password in your vault (circular dependency)
• Don't share your master password with anyone, ever
• Don't use password manager autofill on public or shared computers
• Don't ignore security warnings from your password manager
• Don't assume you're completely secure — stay vigilant

Frequently Asked Questions

Conclusion

Password management isn't optional anymore — it's essential infrastructure for digital life. The average person manages hundreds of accounts, each requiring secure authentication. Trying to remember unique, strong passwords for every account is impossible, and the alternatives — password reuse, weak passwords, or written notes — create serious security vulnerabilities.

Password managers solve this problem. They generate strong passwords, store them securely with military-grade encryption, and autofill them when needed. You remember one master password; the password manager handles everything else.

The benefits extend beyond security. Password managers save time, reduce frustration, improve productivity, and support compliance requirements. For businesses, they reduce help desk burden and protect against the costly consequences of data breaches.

Further reading

Guide to Advanced Encryption Standard (AES)

Learn how AES encryption works, why it’s the standard for data security, and how AES-256 protects everything from passwords to TOP SECRET data.

Passwork BlogEirik Salmi

GDPR password security: Guide to effective staff training

Learn proven strategies to train employees for GDPR password security compliance. Reduce breach risks with practical training methods.

Passwork BlogAna Moore

Passwork 7.1: Vault types

Vault types Passwork 7.1 introduces a robust vault types architecture, providing enterprise-grade access control for enhanced security and management. Vault types address a key challenge for administrators: controlling data access and delegating vault management across large organizations. Previously, the choice was limited to two types. Now, you can create

Passwork BlogEirik Salmi

We live in a digital age, and children must learn about internet safety as a first port of call. They are constantly on their phones and tablets, and many of them complete their coursework online. To secure personal information, all of these services require a password, but the passwords are frequently pre-set for youngsters, who do not get to create their own.

Children will never learn how to create secure passwords if such passwords are never changed. This renders them vulnerable to hacking. It is our responsibility as parents to educate our children about internet safety. This includes not only stopping kids from accessing improper information, but also explaining why. The greatest method for children to learn about computer security is to see adults who are skilled in the field. Continue reading to learn how to teach your children about password security fast and effortlessly.

Make unique and fun passwords

Passwords should be easy for your children to remember but tough for others to guess. That may appear to be an oxymoron, but if you make it fun, your child will be more likely to remember their passwords. Here are some easy ideas to get their creative juices flowing:

• Make up your own sentences or words. If they had a favorite stuffed animal as a youngster, try to integrate it, but don't make it the sole word. Use three or more to create complexity.

• Use basic, popular passwords such as ABCDE, 123455, or "password" instead. Hackers can easily breach them and obtain access to your accounts.

• Use passwords that are at least eight characters long

• Use numbers, uppercase letters, and symbols as needed. Also, avoid using them in apparent ways. Avoid substituting letters for vowels, such as an exclamation point (!) for I and an at symbol (@) for a. These are basic replacements that are easy to understand.

• Create unique passwords for each website. If your password is hacked and you use it in several places, hackers will have access to your children's sensitive information in multiple areas.

Passwords should not be shared

This one may be difficult for your children to grasp. They do, after all, know your phone's password! However, it is critical that your children do not share their passwords with anyone other than their parents—including their siblings. The more people who know their password, the more likely it is that people who should not have access to their accounts will.

Explain some of the scenarios that could occur to your children to ensure that they understand why they should not share their passwords. Listed below are a few examples:

• Someone could steal their identity

• Someone could send hurtful messages and jeopardize friendships

• Someone could open accounts on questionable platforms using their identity

• Someone could change their passwords and keep them from accessing their accounts

• If there are bank accounts attached, someone could spend their money

These are just a few examples, but they should be enough to convince your children not to share their passwords. If they do, they must inform you of who they shared it with and why. You can then decide whether or not to change their passwords.

Remember, as a parent, this does not apply to you. As a precaution, you should have all of your children's passwords who are under the age of 18. This will give you peace of mind because you will know you can monitor their online activity for their safety and security. There are many frightening people out there, and not just those looking to steal their passwords.

Avoid using the same password in multiple places

It may be difficult to keep track of so many different passwords, but it is critical that you and your child develop a unique password for each website, platform, or program. This will assist to safeguard their data:

• If there is a data breach in one place, they simply need to be concerned about that one location

• If you use the same password, they may have access to far more information, which might be harmful

Your child may not be able to use a password manager at school, but there are security services that can assist you in storing passwords across various platforms. They can also generate secure passwords that are difficult to decipher. These are useful tools, but you should not rely only on them for all of your passwords in case you are locked out.

What does a strong password look like?

You may be asking what makes a password strong now that you know what to do and what to avoid while teaching your children password safety. There are several approaches to constructing a secure password, and you must ensure that passwords are simple for your youngster to remember.

One method is to speak to their interests or their sense of humor.

• Use their passions as a source of inspiration. If they enjoy magic, you may perform something like AbramagiCkadabrA#7. This is an excellent password since it includes random capitalization, a number, and a distinctive character.

• Use something amusing for them. For example, because little children are typically delighted by potty humor, you may establish their username @uniFARTcorn3. Again, you've covered all of the possible factors for password requirements, and your kids will have a good time inputting it.

• Make use of meals and pastimes. You might, for example, create their password Apple3picking! EAO. They enjoy apple harvesting, their favorite number, a special character, and strange apple orchard letters or abbreviations.

You want to make your password difficult to guess but easy to remember, so choosing items that will activate your memory or make you smile when your child enters it will increase the likelihood that they will remember it.

It is not suggested to keep a digital file of passwords on your computer, but if necessary, you may write them down for your children until they learn them. Just be careful not to lose track of where you wrote them!

Comprehensive guide: Cybersecurity vocabulary – terms and phrases you need to know

Cybersecurity — as complex as it sounds — is an essential concept that we all need to be aware of in this day and age. Computers, phones, and smart devices have become an extension of our bodies at this point, which makes their security paramount. From your family photos to your bank

Passwork BlogEirik Salmi

Why do employees ignore cybersecurity policies?

Employees often ignore cybersecurity rules not out of laziness, but because they feel generic, irrelevant, or disconnected from real work. True change starts with empathy, leadership, and context-driven policies. Read the full article to learn how to make security stick.

Passwork BlogIliya Garakh, CTO

Passwork: Secrets management and automation for DevOps

Introduction In corporate environment, the number of passwords, keys, and digital certificates is rapidly increasing, and secrets management is becoming one of the critical tasks for IT teams. Secrets management addresses the complete lifecycle of sensitive data: from secure generation and encrypted storage to automated rotation and audit trails. As

Passwork BlogEirik Salmi

Of course you want to keep your data safe. So why are so many security precautions frequently overlooked? Many accounts, for example, are protected by weak passwords, making it easy for hackers to do their work. There is a fine line between selecting a password that no one can guess and selecting a password that is easy to remember. As a result, we will examine this topic in depth today and ensure that you no longer need to click on the "lost password" link.

What exactly is a strong password?

So let's begin with a definition. A secure password is one that cannot be guessed or broken by an intruder.

Computers are utilized by hackers in order to try out various combinations of letters, numbers, and symbols. Passwords that are only a few characters long and consist entirely of letters and digits are easy for modern computers to crack in a couple of seconds. Because of this, it is vital to utilize robust combinations of capital and lowercase letters, numbers, and special characters in one password. There is a minimum length requirement of 12 characters for passwords, although using a longer password is strongly encouraged.

To summarize the attributes of a secure password, they are as follows:

• At least 12 characters are required. The more complicated your password, the better.

• Upper and lower case letters, numbers, and special characters are included. Such passwords are more difficult to crack.

• Does not contain keyboard paths

• It is not based on your personal information

• Each of your accounts has its own password

You have undoubtedly observed that a variety of websites "care" about the security level of your password. When you are making an account, you will frequently see tooltips that remind you to include a particular amount of characters, as well as numbers and letters. Weak passwords have a far higher chance of being disapproved by the system. Keep in mind that, for reasons related to your security, you should never use the same password for several accounts.

A secure password should be unique

You may use a strong password for all of your accounts after you've created one. However, doing so will leave you more exposed to assaults. If a hacker obtains your password, they will be able to access whatever account you used it for, including email, social media, and work accounts.

According to surveys, many people use the same password because it is easier to remember. Don't worry, there are several tools available to assist you with managing multiple passwords. We'll get to them later.

While adding special characters in passwords is an excellent approach to increase their security, not all accounts accept all characters. However, in most scenarios, the following are used: ! " #% & *, / : | $ ; ': _? ().

Here are some examples of strong passwords that make use of special characters:

• P7j12$# eBT1cL@Kfg

• $j2kr^ALpr!Kf#ZjnGb#

Ideas for creating a strong password

Fortunately, there are several methods for creating unique and secure passwords for each of your accounts. Let's go over each one in detail:

1. Use a password generator/password manager

If you don't have the time to come up with secure passwords, a password generator that can also serve as a manager is a very simple and straightforward solution that you may use.

2. Choose a phrase, not a word

Passwords are significantly less secure than passphrases since they are often lengthier and more difficult to guess or crack. Instead of a word, pick a phrase and use the first letters, digits, and punctuation from that phrase to generate an apparently random combination of characters. Experiment with different wording and punctuation.

Here are some examples of how the passphrases technique may be used to generate secure passwords:

• I first went to Disneyland when I was four years old and it made me happy: I1stw2DLwIw8yrs&immJ

• My friend Matt ate six donuts at a bakery cafe and it cost him £10: MfMa6d@tbc&ich£10

3. Pick a more unique option

Open a dictionary or book and select a random word, or better yet, many. Combine them with numbers and symbols to make it far more difficult for a hacker to decipher.

As an example:

• Sand, fork, smoke, okay — Sand%fork9smoke/okay37

4. Experiment with phrases and quotes

If you need a password that is difficult for others to guess but easy for you to remember, try variants on a phrase or statement that means something to you. Simply choose a memorable sentence and replace parts of the letters with numbers and symbols.

For example:

• “For the first time in forever”: Disney’s Frozen: 4da1stTymein4eva-Frozen

5. Make use of emojis

You may always use emoticons to add symbols to your passwords without making them difficult to remember. You can't add emojis, but you can attempt emoticons made out of punctuation marks, characters, and/or numbers.

For example:

• \_(ツ)_/¯

• (>^_^)> <(^_^<)

• (~.~) (o_O)

What should I do after I have created a password?

1. Set passwords for specific accounts
You'll still need to generate a unique password for each of your accounts once you've created a strong password that you can remember. Instead of creating several new ones, you may include the name of the platform you use at the end. For example, if your password was nHd3#pHAuFP8, just add the word EMa1l to the end of your email address to get nHd3#pHAuFP8EMa1l.

2. Make your password a part of your muscle memory
If you want to be able to recall your password, typing it out several times can help you do so. You will be able to memorize information far more easily as a result of the muscle memory that you will develop.

How to keep your passwords safe?

1. Choose a good password manager
Use a trustworthy password manager whether you're setting your own safe passwords or looking for an internet service to handle it for you. It creates, saves, and manages all of your passwords in a single safe online account. All you have to do is put all your account passwords in the application and then safeguard them with one "master password". This means you just have to remember a single strong password.

2. Use two-factor authentication
You've heard it before, but we'll say it again. Two-factor authentication (2FA) adds an additional level of protection. Even if someone steals your password, you can prevent them from accessing your account. This is often a one-time code supplied to you by text message or other means. Receiving an SMS, by the way, is not the most secure method since a hacker might obtain your mobile phone number in a SIM swap fraud and gain access to your verification code.

Apps using two-factor authentication are far more secure. Google Authenticator, for example, or Microsoft Authenticator.

3. Passwords should not be saved on your phone, tablet, or computer
Although it might not be immediately visible, this is a common approach for people to save their passwords. That should not be done. Your files, emails, messenger conversations, and notes may all be hacked.

4. Keep your password confidential
Even if you completely trust the person to whom you are handing your password, sending it in a text message or email is risky. Even if you speak it aloud or write it down on paper, someone who is interested can overhear you and take notes behind you.

Python connector 0.1.5: Automated secrets management

The new Python connector version 0.1.5 expands CLI utility capabilities. We’ve added commands that solve critical tasks for DevOps engineers and developers — secure retrieval and updating of secrets in automated pipelines. What this solves Hardcoded secrets, API keys, tokens, and database credentials create security vulnerabilities and operational bottlenecks.

Passwork BlogEirik Salmi

How to protect your online business from cyberattacks

Protect your online business from cyber threats with actionable strategies, from employee education to advanced tools like Passwork. Learn about phishing, ransomware, and more while discovering how to enhance security with simple yet effective measures. Stay protected — read the full article!

Passwork BlogEirik Salmi

How secure are smart home devices?

Are you sure that your home is protected in the way that you think? Sure, you can secure it with modern locks or an alarm system to protect yourself from robbers who want to steal your money or furniture, but what about those who are looking at your home as

Passwork BlogIliya Garakh, CTO

The most frequently-used password globally is "123456”. However, analyzing passwords by country can yield some quite fascinating results.

We frequently choose weak passwords such as "123456" since they are easy to remember and input. The differences between such passwords can sometimes be found in the language itself. For example, if the English have "password" at the top of their list, the Germans prefer "passwort", and the French use "azerty" instead of "qwerty" due to the peculiarities of the French keyboard layout, which has the letter A instead of the usual Q.

When a weak password is driven by culture, things get much more intriguing. The password "Juventus" is likely to appeal to fans of the Italian football team Juventus. This password is also the fourth most popular option among Italian Internet users. The club is from Turin, Piedmont, and is supported by about 9 million people. At first look, the unique password "Anathema" appears to be a typical occurrence in Turkey, where the British band Anathema's name is among the top ten most common passwords.

A weak password is widespread

ExpressVPN together with Pollfish interviewed 1,000 customers about their password preferences in order to learn more about how individuals approach password formation.

Here are some of their findings:

• The typical internet-goer uses the same password for six different websites and/or platforms

• Relatives are likely to be able to guess their passwords from internet accounts, according to 43% of respondents

• When generating passwords, two out of every five people utilize different variants of their first and/or last name

These findings demonstrate a lack of cybersecurity knowledge, despite the fact that 81% of respondents feel confident in the security and privacy of their existing passwords.

According to the survey results, passwords frequently contain personal information. Below, you will find the most shared personal information with the percentage of respondents who revealed that their passwords contained personal information.

• First Name (42.3%)

• Surname (40%)

• Middle Name (31.6%)

• Date of birth (43.9%)

• Social security number (30.3%)

• Phone number (32.2%)

• Pet name (43.8%)

• Child's name (37.5%)

• Ex-partner's name (26.1%)

The most common passwords in various countries

Based on an infographic from ExpressVPN, the picture below illustrates the most often used passwords in various nations, practically all of which are in the top ten in their respective countries. Many are exclusive to these nations and demonstrate how cultural influences impact password creation.

Much of the information presented comes from a third-party study of stolen credentials (which were made public by Github user Ata Hakç). These datasets are based on the language of the individual sites, allowing the information to be distributed by country.

Let's have a look at some interesting variations of passwords. For instance, the phrase "I love you forever" may be deciphered from the password "5201314," which is commonly used by people from Hong Kong. In contrast, users in Croatia make use of the password “Dinamo”, which is derived from the name of an illustrious football team based in Zagreb. Martin is the password that is used by people from Slovakia. In Slovakia, the name Martin has a position as the fourth most common name. The Greeks, on the other hand, chose not to put undue effort into themselves and instead went with the most straightforward password out of the list, which was 212121. On the other hand, Ukrainians use the pretty difficult password Pov1mLy727. Apart from Ukraine, there are other countries where users more often than not create strong passwords. Let’s take a look.

These 10 countries create the strongest passwords

According to the results of the National Privacy Test that was carried out by NordVPN, the greatest marks were obtained by Italians in regard to their understanding of robust passwords. The following is a list of the top ten nations in which people come up with the most complicated passwords.

1. Italy 94.3 (points out of 100)

2. Switzerland 94

3. Spain 93.5

4. Germany 93.3

5. France 92.3

6. Denmark 91.8

7. UK 90.7

8. Belgium 90.4

9. Canada 89.4

10. USA 89.3

The top 10 did not include Australia (88.9), South Africa (86.2), Saudi Arabia (85.7), Russia (81.4), Brazil (81.2), Turkey (73.9), and India (78.4).

"This study demonstrates that individuals from all around the world are aware of how to generate secure passwords. The information is there, but people aren't using it in the right ways," says Chad Hammond, a security specialist at NordPass.

Also in November 2022, NordPass published a study that found out which passwords network users use most often. According to the findings of the survey, the majority of individuals still rely on simple passwords such as their own names, the names of their favorite sports teams or foods, simple numerical combinations, and other straightforward options.

NordPass security specialist Chad Hammond also stated, "Using unique passwords is really crucial, and it's scary that so many individuals still don't." It is critical to generate distinct passwords for each account. "We put all accounts with the same password in danger when we reuse passwords: in the case of a data breach, one account at risk can compromise the others."To summarize, it is reasonable to state that it does not matter where you were born, where you live, or what you are passionate about; you must always use unique passwords. We recommend that you make your password difficult to guess by making it more complicated or by using a password generator. This will increase the level of security provided by your password. In addition to this, we strongly suggest that you take advantage of two-factor authentication wherever it is an option. If you add an additional layer of protection to your accounts, be it in the form of an app, biometrics, or a physical security key, you will notice a significant increase in their level of security.

Passwork 7: Security verified by HackerOne

Passwork has successfully completed the penetration testing, carried out by HackerOne — the world’s largest platform for coordinating bug bounty programs and security assessments. This independent evaluation confirmed Passwork’s highest level of data protection and strong resilience against modern cyber threats. What the pentest covered Security architecture and data

Passwork BlogEirik Salmi

GDPR password security: Guide to effective staff training

Learn proven strategies to train employees for GDPR password security compliance. Reduce breach risks with practical training methods.

Passwork BlogAna Moore

Incident response planning: Preparedness vs. reality

Discover key insights from Passwork webinar on incident response planning. Why teamwork and tools drive real cybersecurity resilience.

Passwork BlogIliya Garakh, CTO

There is no good reason, from a technical standpoint, why passwords can't contain scripts in Chinese, Japanese, Korean, or any other language for that matter. If you are able to write in this script, then it is entirely appropriate for you to employ it in whatever endeavors you undertake.

However, if you put this theory to the test, you will discover that many websites, including well-known ones like Google, prevent you from entering a password that contains characters other than A-Z, 0-9, and common special characters.

This brings to mind the early days of the internet when certain websites forbade the use of capitalization and prohibited the use of Latin letters for no discernible reason.

Site issues with passwords including Chinese characters

Users often make use of passwords that are longer than 30 characters, include all of the various character kinds that are usually suggested, and are created at random. If you use a password manager, you should probably make the password as difficult and as lengthy as it can possibly be.

However, if you visit more than 150 websites and change your password each time, you may find that many websites have password rules that do nothing but lower their level of security rather than increase it. This is because these rules are designed to protect users from themselves.

For instance, several websites impose arbitrary restrictions on the maximum length of passwords. They will typically demand passwords with less than 20 characters, in many instances. In certain cases, you can only use a maximum of 12 characters.

Even though it makes the password less secure, certain websites require that you include a number and a special character. This is despite the fact that doing so decreases the entropy of the password. On other pages, one may be restricted to using just the Latin letters; numerals and punctuation are not allowed. On certain websites, one may use punctuation, but you have to choose it from a drop-down menu first, and characters like "&" are not permitted.

This last point ought to give you significant cause for worry. Are these websites capable of sanitizing the password before inserting it into the database? Your database should not be used to store passwords in any way. I'm curious how many times this has been the cause when we consider severe breaches of privacy. You are required to hash the password before saving it.

In any event, the end effect of all of this is that a significant number of websites still verify passwords in an erroneous manner, excluding characters that really should be fully allowed. There is no valid reason why "您未设置安保问题" can’t serve as your password.

So, how safe is such a password?

Entropy is a term used to describe both the difficulty of breaking a password and the complexity of the password itself. In the next paragraphs, we will examine how to compute the entropy of a password.

If we expand the character set to cover everything from a to Z, digits from 0 to 9, punctuation marks, and so on, then we have a pool of 90 characters. This results in an entropy per character of log2(90), which is equivalent to 6.49 bits. If, on the other hand, we expand our character pool to include all Chinese, Japanese, and Korean (CJK) characters (presuming that our character pool has 74,605 characters), then we can calculate the entropy of each character as log2 (74605) = 16.19 bits of entropy per character.

Therefore, a 7-character CJK password such as "正确的马电池钉" would give you 16.19 bits of entropy times 7, which equals 113.33 bits total. I would need a password consisting of 18 characters if I wanted to match this using Latin letters, numbers, and special characters.

The vast majority of people are Chinese-illiterate. They have decided against using any characters that include CJK in their passwords. On the other hand, the effectiveness of a complicated password is comparable to that of vaccination in that it confers herd immunity. Crackers will only conduct brute force or dictionary attacks based on the letter as if individuals only use passwords that include those letters. If people have a habit of using numbers and punctuation, it forces attackers to incorporate those elements into their vocabulary, which in turn slows down their attack. The attacker needs to try all of these additional possible combinations, regardless of whether or not your own password used any of them.

Because roughly one-third of the world's population is able to read and write CJK characters (the populations of China and Japan are enormous), if we permit people to use CJK characters in their passwords, then even if I don't use CJK characters myself, we can all benefit from the increased complexity that this provides.

To reiterate, knowledge of Chinese is not required in order to work with CJK characters. You can keep track of all of your passwords by using a password manager, as was previously suggested. It does not matter whether you are unable to read or write the password as long as the password manager is able to save it and accurately copy and paste it into the password box when it is required.

Conclusion

We’d like to remind everyone that your name, birth date, or any other identifying information should never be used as a password, regardless of the language you use.

In addition, the passwords that are established on other websites might somewhat vary from one another, which makes them easier to remember and prevents the same issue from occurring. In this scenario, it is essential to connect your mobile phone number or email address so that you may easily recover the account in the event that the mobile phone number is lost or stolen.

On the other hand, many people feel that passwords are becoming outdated and that there are now more efficient methods to handle computer security and authentication than by using passwords. Perhaps now is the moment for people to begin shifting their attention to other approaches. In the not-too-distant future, we will find out.

Python connector 0.1.5: Automated secrets management

The new Python connector version 0.1.5 expands CLI utility capabilities. We’ve added commands that solve critical tasks for DevOps engineers and developers — secure retrieval and updating of secrets in automated pipelines. What this solves Hardcoded secrets, API keys, tokens, and database credentials create security vulnerabilities and operational bottlenecks.

Passwork BlogEirik Salmi

Passwork 7.2 release

The new version introduces customizable notifications with flexible delivery options, enhanced event logging descriptions, expanded CLI functionality, server-side PIN code storage for the browser extension, and the ability to enable client-side encryption during initial Passwork configuration. Notification settings We’ve added a dedicated notification settings section where you can choose notification

Passwork BlogEirik Salmi

Cyber insurance: A false sense of security?

Introduction As cyber threats and data breaches become more frequent and sophisticated, many organizations are looking to cyber insurance as a way to manage risk. But is cyber insurance a true safety net — or is it just a false sense of security? This question was at the core of the

Passwork BlogIliya Garakh, CTO

It's possible that you've become familiar with the term "time-based one-time passwords" (TOTP) in relation to "two-factor authentication" (FA) or "multi-factor authentication" (MFA).

However, do you really understand TOTP and how they work?

The Meaning of TOTP

"Time-Based One-Time Passwords” refer to passwords that are only valid for 30-90 seconds after they have been formed with a shared secret value and the current time on the system.

Passwords are almost always composed of six-digit sequences that are changed every thirty seconds. On the other hand, some implementations of TOTP make use of four-digit codes that become invalid after a period of 90 seconds.

An open standard is used in the TOTP algorithm, and this standard is detailed in RFC 6238.

What is a shared secret?

TOTP authentication uses a shared secret in the form of a secret key that is shared between the client and the server.

To the naked eye, the Shared Secret seems to be a string with a representation in Base32 that is similar to the following:

KRUGS4ZANFZSAYJAONUGC4TFMQQHGZLDOJSXIIDFPBQW24DMMU======

Computers are able to comprehend and make sense of information even if it is not legible by humans in the manner in which it is presented.

The client and the server both have a copy of the shared secret safely stored on their respective systems after a single transmission of the secret.

If an adversary is able to discover the value of the shared secret, then they will be able to construct their own unique one-time passcodes that are legitimate. Because of this, every implementation of TOTP needs to pay particular attention to securely storing the shared secret in a safe manner.

What is system time?

There is a clock that is integrated into every computer and mobile phone that measures what is referred to as Unix time.

Unix time is measured in terms of the number of seconds that have passed since January 1, 1970, at 00:00:00 UTC.

Unix time appears to be nothing more than a string of numbers:

1643788666

This small number, however, is excellent for the generation of an OTP since the majority of electrical devices using Unix time clocks are sufficiently synced with one another.

Implementations of the TOTP Authentication Protocol

The use of passwords is not recommended. However, you may increase security by combining a traditional password with a time-sensitive one-time password (TOTP). This combination is known as two-factor authentication or 2FA, and it may be used to authenticate your accounts, virtual private networks (VPNs), and apps securely.

TOTP can be implemented in hardware and software tokens:

• The TOTP hardware token is a physical keychain that displays the current code on a small screen

• The TOTP soft token is a mobile application that displays a code on a phone’s screen

It makes no difference whether you use software tokens or hardware tokens. The purpose of using two different forms of authentication is to increase the level of protection afforded to your online accounts. You have access to a one-time password generator that you may use during two-factor authentication to obtain access to your account. This generator is available to you regardless of whether you have a key fob or a smartphone with an authentication app.

How does a time-based one-time password work?

The value of the shared secret is included in the generation of each time-based one-time password (TOTP), which is dependent on the current time.

To produce a one-time password, the TOTP method takes into account both the current Unix time and the shared secret value.

The counter in the HMAC-based one-time password (HOTP) method is swapped out for the value of the current time in the time-based one-time password algorithm, which is a version of the HOTP algorithm.

The one-time password (TOTP) technique is based on a hash function that, given an input of indeterminate length, generates a short character string of fixed length. This explanation avoids getting too bogged down in technical language. If you simply have the result of a hash function, you will not be able to recreate the original parameters that were used to generate it. This is one of the hash function's strengths.

It is essential to keep in mind that TOTP offers a higher level of security than HOTP. Every 30 seconds, a brand new password is produced while using TOTP. When using HOTP, a new password is not created until after the previous one has been entered and used. The fact that the one-time password for HOTP continues to work even after it has been used for authentication leaves hackers with a significant window of opportunity to mount a successful assault.

Authentication using Multiple Factors (MFA)

A user must first register their TOTP token in any multi-factor authentication (MFA) system that supports a time-based one-time password before they can use the device to connect to their account.

Some TOTP soft tokens need the registration of a different OTP generator for each account. This effectively implies that if you add two accounts to your authenticator app, the program will produce two temporary passwords, one for each account, every 30 seconds. A single TOTP soft token (authenticator program) may support an infinite number of one-time password generators. Individual one-time password generators safeguard the security of all other accounts in the case where the security of an account is compromised.

To use 2FA, a secret must be created and shared between the TOTP token and the security system. The security system's secret must then be passed to the token.

How is the shared secret sent to the token?

Typically, the security system creates a QR code and requests that the user scan it using an authenticator app.

A QR code of this type is a visual depiction of a lengthy string of letters. The shared secret is, roughly speaking, part of this lengthy sequence.

The software will string the image and extract the secret when the user scans the QR code using the authenticator app. The authenticator program may now utilize the shared secret to generate one-time passwords.

When registering a TOTP token, the secret is only sent once. Many of the concerns about stealing the private key are alleviated. An adversary can still steal the secret, but they must first physically steal the token.

It works even when you're not connected to the internet!

To use the TOTP technique, you do not need an active internet connection on your smartphone or a physical key.

The TOTP token only needs to obtain the shared secret value once. The security system and the OTP generator may thus produce successive password values without needing to communicate. As a consequence, time-based one-time passwords (TOTP) operate even when the computer is turned off.

The 2025 small business cybersecurity checklist: A complete guide | Passwork

Passwork’s 2025 cybersecurity checklist, based on the NIST framework, provides actionable steps to prevent data breaches and financial loss.

Passwork BlogEirik Salmi

Passwork: Secrets management and automation for DevOps

Introduction In corporate environment, the number of passwords, keys, and digital certificates is rapidly increasing, and secrets management is becoming one of the critical tasks for IT teams. Secrets management addresses the complete lifecycle of sensitive data: from secure generation and encrypted storage to automated rotation and audit trails. As

Passwork BlogEirik Salmi

5 ways to keep your business safe from cyber threats

In an era where cybercrime is rampant, businesses must take a proactive approach to safeguard their confidential information. In 2021 alone, over 118 million people have been affected by data breaches, and this number is expected to rise exponentially. In this post, we’ll discuss some of the best practices

Passwork BlogIliya Garakh, CTO

Nearly 20 years ago, the National Institute of Standards and Technology (NIST) established guidelines for secure passwords. Indeed, they are still used by many websites, portals, and other services. You’re likely familiar with these password requirements — there ought to be at least 8 characters, both capital and lowercase letters, digits, and special characters. Despite these guidelines, passwords that meet these requirements are no longer safe from modern attackers. The only thing any of us can do to improve the security of our accounts is to make sure that our passwords are lengthy, complicated, and unique for each account. Due to the strict password management requirements, this strategy is, nevertheless, laborious and intimidating for many.

The same password rules do not apply today

In the modern day, password-based security is no longer seen as sufficient. Our digital world is continuously expanding, thus it is more important than ever to make sure that our data is safeguarded from cybercriminals. Cybercriminals perceive an opportunity to target people in a more sophisticated way as a result of the increasing usage of internet services. One explanation is that, although we benefit from technological improvement for our personal, social, or economic growth, cybercriminals have also benefited from the advantages of improved computer graphics cards and machine learning to enhance their attack strategies. In addition to the problem of more sophisticated cyberattacks, there are two interrelated problems with conventional password rules:

The first concern lies in our human nature — keeping track of passwords is tough

You may take a few steps as an individual to increase the security of your passwords. Start by lengthening and making your passwords more complicated. Second, create a unique password for each website you visit. The difficulty of remembering a password increases with its complexity. As a result, we frequently select passwords that are not entirely suitable yet are simple to remember. The difficulty of managing several complicated passwords for every online account leads to the frequent reuse of the same passwords across multiple platforms. As a result, a successful attacker immediately wins big.

However, the high level of password complexity necessary to maintain online safety should not be blamed; rather, it should be pointed out that we can’t improve our inadequate password management skills. Using a password manager to generate and store secure passwords is a useful solution. It is not humanly possible to manage strong passwords for all of our internet accounts without assistance, such as password managers. Because they can't recall the complicated, random sequences of letters, numbers, and special characters, the problem increases the likelihood that individuals will write down their passwords. Passwords are left exposed in digital files stored on a computer or in desk-top notes, making it simple for hackers to hack and read passwords.

The second problem is that passwords have a mathematical limit

There are only ever a finite amount of potential password combinations since a password is a mix of letters, numbers, and symbols. As a result, the best technique for breaking passwords is brute force attacks. Until the correct combination is identified and the password is broken, brute force attacks attempt all possible combinations of letters, numbers, and symbols. Theoretically, a stronger password would be one that is harder to guess due to its length, complexity, and number of possible permutations. However, attackers are now substantially more frequently exploiting Graphic Processing Units (GPUs) to break passwords. GPUs are a component of a computer's graphics card and were first designed to speed up the loading of images and movies. They now show promise for computing hashes (the method used in brute force attacks).

According to studies on password cracking times, passwords may be cracked much more quickly using sophisticated computer graphics cards. Using the most recent computer graphic cards, an 8-character password that used to take 8 hours to crack in 2018 now only takes 39 minutes (see the conclusive 2022 results in the table below). Passwords are gradually getting simpler to crack as a result of recent technical developments, which is a concerning trend. More crucial, however, is the fact that if a password has already been stolen, repeated across sites, or contains basic phrases, attackers may access your accounts right away, regardless of the complexity of the password or the attacker's graphics card.

Consider a 4-character password made up of all 26 letters in the Latin alphabet (case-insensitive) in order to visualize this mathematical example.

26^4 = 456,976 possible password combinations

The number of viable choices rises to when you include digits, uppercase and lowercase letters, and special characters.

95^4 = 81,450,625 possible password combinations

However, because the password must contain at least one special character, one number, one capital letter, and one lowercase letter, the quantity drops to

5,353,920 possible password combinations.

Nevertheless, assuming there are no password-entry security measures, this can be cracked in less than a second by a computer (such as automatic account blocking).

Increase the length and complexity of passwords

Longer or more complicated password phrases are strongly advised when creating new passwords. In this manner, potential attackers will have a harder time breaking the codes. It's crucial to take into account the popularity of the selected password combination in addition to the amount of alternative password combinations. For instance, lists of frequently used passwords or phrases, such as "qwerty," "password," or "12345," are frequently used in brute force assaults.

Therefore, the password should be completely unique or not contain any words at all. For instance, one technique would be to employ acronyms or mnemonics, such as generating a password out of the first few characters of a long text. As an illustration, consider making the password ‘Ilts@7S!’ out of the words I love to ski at Seven Springs.

Password length and complexity alone are insufficient

We are aware that adding length and complexity to passwords is the only method to increase their strength and, consequently, the safety of our accounts. The time it typically takes an attacker to break a password in 2022 using a powerful commercial computer is displayed below. This chart, which has been analysed and periodically updated since 2018, shows how quickly passwords can be broken on current machines. This pattern indicates that, despite our best efforts to create passwords that are longer and more complicated, passwords alone are no longer sufficient to meet the required internet security standards.

In conclusion, password rules increase the complexity of passwords without necessarily enhancing their security.

Why do employees ignore cybersecurity policies?

Employees often ignore cybersecurity rules not out of laziness, but because they feel generic, irrelevant, or disconnected from real work. True change starts with empathy, leadership, and context-driven policies. Read the full article to learn how to make security stick.

Passwork BlogIliya Garakh, CTO

Why do I need a password manager?

Password managers protect your accounts by encrypting credentials, generating strong passwords, and blocking phishing attacks. They help individuals and businesses streamline password management, minimizing risks from weak or reused passwords. Discover their key features in the full article.

Passwork BlogIliya Garakh, CTO

Passwork: Secrets management and automation for DevOps

Introduction In corporate environment, the number of passwords, keys, and digital certificates is rapidly increasing, and secrets management is becoming one of the critical tasks for IT teams. Secrets management addresses the complete lifecycle of sensitive data: from secure generation and encrypted storage to automated rotation and audit trails. As

Passwork BlogEirik Salmi

Whenever the word ‘cybersecurity’ appears, the word ‘password’ springs to mind in parallel. People use them everywhere, from mobile phone locks to the protection of personal and state data stored on individual devices or websites. Everyone knows that a strong and secure password is able to save our sensitive information, however, cybercriminals have invented a huge variety of methods to hack our passwords in order to compromise us. So, modern problems require modern solutions. Now, there are a lot of alternative ways to protect access to personal data. The usual passwords are replaced by multi-layer authentication or just more progressive technologies. These are fingerprints and face recognition functions, keychains, and password vaults. But what is the future of passwords? Will they become an outdated option or stay a necessary part of access.

Why are passwords considered weak?

With the growth of cybercrime, the requirements for passwords are increasing. The first passwords consisted of short, easily-memorized word or numeral combinations, but they were too easy to crack. Now, passwords are sophisticated alpha-numeral combinations, sometimes too long to remember. Nevertheless, it is still possible for hackers to find the solution and get access to your account. Passwords are usually based on some common information like a date of birth, the name of a child, or a home pet, which implies that hackers are able to find out what it is if they have enough time. The other reason why passwords become targets is the fact that they provide unrestricted access to your account. Moreover, many people use the same or similar passwords for many different accounts, so they simplify the process of collecting their sensitive data from multiple sources. Of course, using the same password for every account mitigates the risk of forgetting the password, but reusing the combination is quite risky. Users are sure that they won’t be hacked as the data they store is not valuable enough to be stolen, but it’s a common mistake as almost everyone can be compromised or fall victim to a bot attack that is aimed at spreading spam or malicious links. So, the best way to protect your privacy is not to reuse the same password and exploit multi-layer authentication for your accounts.

The anti-password movement

This movement was established as soon as people understood that usual passwords are more vulnerable than they should be. Passwords are inconvenient and provide multiple avenues for fraudsters to obtain your data and profit from it. The most typical method for hackers to profit from this data is to sell it on the dark web for fast cash. Advanced attacks on logins have been known to shut down entire corporations or launch ransomware campaigns. Credential stuffing is the most well-known form of password hacking, it is based on the reusing of the same password for multiple accounts, pairing it with different email addresses or logins. It is usually aimed at taking over as much information from corporate accounts as possible. Thus, internet users realized that passwords are not the most powerful protection that can be exploited for security goals. So, what was made in addition to, or in place of, the password?

Multi-factor authentication

Single-factor authentication refers to the requirement of only one password to access an account. This method of protection has been used for a long time, but now it’s obsolete. The new practice in authentication is multi-factor access which requires passing two or more layers of authentication before accessing an account. The possible steps of this sophisticated technology could be the PIN code, the server-generated one-time code sent to your email address or mobile phone, or even fingerprints and face recognition.

It makes access more complicated but also serves as an additional barrier to compromise attempts and data thieves. This motivates them to move on to more straightforward targets. While it isn't infallible, it does dissuade attackers from trying anything else, potentially rescuing you from disaster.

Another successful way of protection is the passphrase that is used instead of common password combinations. It is represented as the meaningful or meaningless word combination consisting of up to 100 words. It seems to be hard to remember a long phrase, but it is much easier than remembering alpha-numeric combinations including substitution, capitalization, and different numbers. Hackers will find it incredibly difficult to break into a system since passwords are several words long and can contain an endless number of word combinations. Another good thing about such protection is the lack of necessity to install the special apps or systems required to use this technique. It can be applied to every account without special password character limits.

Is the password dead?

The first hacking attacks were conducted as early as the 80s. Regardless of this, people still use passwords as the main protection force for their private information. So, why can’t we replace it with more modern and convenient technologies?

First of all, it’s related to the ease of creating passwords. The password is generated by the user himself, so there’s no need to create and exploit special services that would be able to provide protection for the account on the user’s behalf. Another point is the privacy of users. The password is one of the more private ways of authentication as it doesn’t require any personal information, it can be a random combination of numbers and lack sense, unlike methods such as biomedical data access, which is connected with personal information that could get out into cyberspace. The last but not the least important point lies in the simplicity of replacing passwords. It can be useful in the event of a major data breach, as it’s easier to change the password than the biomedical options that are used for fingerprints or face recognition.

Conclusion

So what will be the future of passwords? Passwords will definitely be used as one layer of a multi-factor security system for the next few years as there are still no more useful options for saving our privacy than passwords. People are continuing to look for the perfect method of protection, so maybe in a few years, something will finally appear and the world will be able to say goodbye to long sophisticated passwords. Some services have already turned to new systems of access, like one-time codes or fingerprints, but there is still a possibility of being hacked. Indeed, users still believe that a multi-layer system of protection is more convenient than any possible alternative.

Why your passwords are no longer secure (Part 1)

Nearly 20 years ago, the National Institute of Standards and Technology (NIST) established guidelines for secure passwords. Indeed, they are still used by many websites, portals, and other services. You’re likely familiar with these password requirements — there ought to be at least 8 characters, both capital and lowercase letters,

Passwork BlogIliya Garakh, CTO

Passwork 7.2 release

The new version introduces customizable notifications with flexible delivery options, enhanced event logging descriptions, expanded CLI functionality, server-side PIN code storage for the browser extension, and the ability to enable client-side encryption during initial Passwork configuration. Notification settings We’ve added a dedicated notification settings section where you can choose notification

Passwork BlogEirik Salmi

Passwork 7: Security verified by HackerOne

Passwork has successfully completed the penetration testing, carried out by HackerOne — the world’s largest platform for coordinating bug bounty programs and security assessments. This independent evaluation confirmed Passwork’s highest level of data protection and strong resilience against modern cyber threats. What the pentest covered Security architecture and data

Passwork BlogEirik Salmi

Which words pop into your head when creating a password for your new account on a website or on a social network? Safety? Privacy? Well, there’s some bad news — hackers are clued-up on hacking any kind of password that you can think into existence, and as a matter of fact, it’s a global problem.

According to recent Kaspersky analysis of 193 million real-world passwords, 59% can be cracked in under one hour using a modern GPU and smart guessing algorithms. Even more alarming, 45% of those passwords fall in under one minute. This data underscores a harsh reality for enterprise security teams: traditional password complexity rules are failing.

Attackers no longer rely solely on manual guessing. They deploy industrialized, AI-assisted tools and Malware-as-a-Service platforms to harvest credentials at an unprecedented scale. The leak of 16 billion credentials from 30 data sources and the exposure of 184 million credentials on underground markets demonstrate the sheer volume of data available to threat actors.

This article explains how each major password cracking technique works, the real-world scale of these threats, and what organizations must do to defend against them. Understanding the attacker’s toolkit is the first step in securing your enterprise infrastructure.

What is password cracking?

Password cracking is the process by which attackers attempt to recover or bypass authentication credentials — either by decrypting stolen password hashes offline or by guessing credentials directly against live systems. Techniques range from automated brute-force and dictionary attacks to AI-powered guessing, phishing, and infostealer malware.

Security professionals divide these techniques into two primary categories: online and offline attacks:

• Online attacks involve interacting directly with a live authentication system, such as a website login portal or an SSH gateway. These attacks are inherently constrained by network latency, rate-limiting, and account lockout policies.
• Offline attacks pose a far greater enterprise threat. When attackers steal a database of hashed passwords, they can attempt to crack them on their own hardware without triggering any network alarms. Unconstrained by rate limits, attackers leverage immense computational power. A single modern GPU, such as an NVIDIA RTX 4090, can process 164 billion MD5 hashes per second. Against this level of hardware, weak passwords are mathematically trivial to break.

Top 12 Password cracking techniques hackers use in 2025

1. Brute force attack

A brute force attack relies on exhaustive enumeration. The attacker’s software systematically tries every possible combination of characters — letters, numbers, and symbols — until it finds the correct match. It is the most fundamental password cracking technique, guaranteeing success eventually, provided the attacker has enough time and computing power.

To defend against brute force attacks, organizations must enforce minimum length requirements of at least 12 characters. Length provides exponentially more protection than complexity. Implement strict account lockout policies for online portals to stop live guessing.

For stored data, ensure all passwords are hashed using computationally expensive algorithms like bcrypt or Argon2, which intentionally slow down the verification process and neutralize hardware advantages.

2. Dictionary attack

A dictionary attack uses a precompiled list of likely passwords to guess credentials. Attackers leverage massive wordlists, such as the infamous RockYou dataset, Have I Been Pwned dumps, and custom lists derived from Open-Source Intelligence (OSINT). They combine these base words with rule-based mutations, adding common numbers, capitalization, and “leet speak” substitutions (e.g., replacing “a” with “@”).

This method is highly efficient because we are predictable. We favor memorable words and patterns. Kaspersky’s analysis revealed that 57% of all analyzed passwords contain a dictionary word or a common symbol combination. Instead of trying every possible character, a dictionary attack tests the passwords people actually use, drastically reducing the time required to breach an account.

Defense requires blocking common passwords at the point of creation. Integrate a breached password monitoring service into your Active Directory or identity provider to prevent users from selecting known compromised terms. Enforce true randomness in password generation, moving away from simple substitutions that dictionary rules easily anticipate.

3. Credential stuffing

Credential stuffing exploits the human habit of password reuse. Attackers take massive lists of usernames and passwords exposed in one breach and systematically test them across hundreds of other services using automated botnets. If a user utilizes the same password for their personal email and their corporate VPN, a breach of the former immediately compromises the latter.

The 2025 Verizon Data Breach Investigations Report (DBIR) highlights the dominance of this technique. Compromised credentials served as the initial access vector in 22% of all confirmed breaches. Credential stuffing accounted for a median 19% of all daily authentication attempts across monitored networks, spiking to an overwhelming 44% on the worst days. The 2023 breach of 23andMe stands as a canonical example of how devastating this attack vector can be when users recycle credentials.

Since employees cannot memorize dozens of unique credentials, companies must implement an enterprise password manager like Passwork. It automatically generates and securely stores unique credentials, eliminating the practice of password reuse. Deploy Multi-Factor Authentication (MFA) across all external-facing portals. Security teams must monitor authentication logs for anomalous login patterns.

4. Password spraying

Password spraying is the inverse of a traditional brute force attack. Instead of trying thousands of passwords against a single account, an attacker tries one highly probable password — such as "“Password1!” or “Welcome2025” — against thousands of different accounts. This “low and slow” approach is specifically designed to evade account lockout policies and intrusion detection systems.

This technique remains highly effective against large organizations. SSH.com notes that Single Sign-On (SSO) environments are particularly vulnerable, as one successful guess grants access to a wide array of corporate resources. Attackers often time their spraying campaigns to coincide with corporate events, seasonal changes, or new employee onboarding, using passwords relevant to the context.

To stop password spraying, organizations must block commonly sprayed passwords globally. Implement MFA to ensure that a guessed password alone is insufficient for access. Security Information and Event Management (SIEM) systems should be configured to monitor for distributed, low-frequency login failures across the network, which often indicate an ongoing spray attack.

5. Rainbow table attack

A rainbow table attack uses massive, precomputed tables of hash-to-plaintext pairings to reverse cryptographic hashes instantly. Instead of calculating hashes on the fly, the attacker simply looks up the stolen hash in their database to find the corresponding password. This technique is devastatingly effective against older, unsalted hashing algorithms like LM, NTLM, and MD5.

The effectiveness of rainbow tables relies entirely on the absence of a cryptographic “salt” — a random string of data added to the password before hashing. If two users have the same password, an unsalted hash will look identical for both. A rainbow table exploits this predictability. Defending against rainbow tables is straightforward: ensure all password storage uses salted hashing. When a unique salt is added to every password, the precomputed tables become useless.

6. Phishing and spear phishing

The easiest and most common way of hacking someone’s password is phishing. There are plenty of techniques here: phishing can take the form of an email, an SMS, a direct message on a social media platform, or a public post on a website.

Phishing bypasses the technical challenge of cracking a password by simply tricking the user into handing it over. Attackers deploy fake login pages, deceptive email lures, and sophisticated Adversary-in-the-Middle (AiTM) proxy attacks. AiTM attacks are particularly dangerous because they sit between the user and the legitimate service, capturing session cookies and MFA tokens in real time.

Phishing takes many forms. Spear phishing targets specific individuals with highly personalized lures. Smishing uses SMS messages, vishing relies on voice calls, and whaling targets C-suite executives. The IBM Cost of a Data Breach Report 2025 identified phishing as the most common initial attack vector, responsible for 16% of breaches at an average cost of $4.88 million per incident.

Defense requires a multi-layered approach. Regular security awareness training helps employees recognize deceptive tactics. Deploy strict email filtering and DMARC authentication to block malicious messages before they reach the inbox. Most importantly, organizations must transition to phishing-resistant MFA, such as FIDO2 security keys or passkeys, which mathematically bind the authentication token to the specific legitimate domain, rendering stolen credentials useless.

7. Keylogger and infostealer malware

While traditional keyloggers simply recorded keystrokes, modern attackers utilize highly sophisticated infostealer malware. Families like Lumma, Acreed, and StealC V2 operate silently, extracting saved browser passwords, active session cookies, cryptocurrency wallets, and MFA tokens in a single sweep.

The scale of this threat is staggering. According to Vectra AI and DeepStrike, infostealers stole 1.8 billion credentials from 5.8 million devices in 2025 — representing an 800% year-over-year increase. This explosion is driven by the Malware-as-a-Service (MaaS) model. Sophisticated infostealer platforms are available on dark web forums for as little as $200 per month, lowering the barrier to entry for cybercriminals.

To defend against infostealers, organizations must deploy robust Endpoint Detection and Response (EDR) solutions. Implement privileged access management to restrict the execution of unauthorized software. Employees must be strictly prohibited from saving corporate credentials in built-in browser password managers. Using a dedicated, encrypted vault like Passwork isolates credentials from malicious endpoint processes and prevents mass theft by infostealers.

8. Man-in-the-Middle (MitM) attack

A Man-in-the-Middle (MitM) attack occurs when an attacker intercepts communication between a user and a legitimate service. This can happen on unsecured public Wi-Fi networks, through rogue access points, or via DNS cache poisoning. The attacker captures the traffic, extracting plaintext passwords or session tokens as they travel across the network.

The modern evolution of this technique is the Adversary-in-the-Middle (AiTM) proxy attack. Attackers use reverse proxies to seamlessly relay traffic between the victim and the real authentication server. When the user enters their password and MFA code, the proxy captures the resulting authenticated session cookie, allowing the attacker to bypass MFA entirely.

Defense relies on robust encryption and network security. Enforce HTTPS and TLS 1.3 across all internal and external communications. Require the use of corporate VPNs when employees connect from public or untrusted networks. To defeat AiTM attacks, deploy phishing-resistant FIDO2 authentication, which validates the origin of the request and prevents session token theft.

9. Social engineering

Social engineering attacks target the human layer of security. Attackers use pretexting, impersonation, and psychological manipulation to bypass technical controls. A common tactic involves calling the IT service desk, impersonating a legitimate employee, and requesting an urgent password reset.

Research from Specops Secure Service Desk highlights that helpdesk agents are frequent targets for these attacks. Attackers gather personal information from LinkedIn or other public sources to answer basic security questions, convincing the agent to hand over temporary credentials or reset an MFA device.

Defending against social engineering requires strict, verifiable protocols. Service desks must implement rigorous identity verification procedures that do not rely on easily discoverable public information. Security awareness training should extend to IT staff, focusing on the tactics used to manipulate support personnel. Implement Zero Trust access policies to limit the blast radius if an account is compromised through human error.

10. Hybrid attack

A hybrid attack combines the speed of a dictionary attack with the thoroughness of a brute force approach. Attackers take a known base word — often a company name, a season, or a previously leaked password — and append or prepend numbers, symbols, and years.

This technique is exceptionally effective against post-breach password resets. When forced to change a compromised password like “Atlanta2024!”, a user will predictably change it to “Atlanta2025!”. Attackers know this behavior and configure their cracking tools to test these incremental variations automatically.

Defense requires strict password history policies. Active Directory and identity providers must be configured to block incremental variations of previous passwords. Organizations should move away from arbitrary password expiration policies, which encourage users to create predictable, iterative passwords, and instead focus on continuous breached password monitoring.

11. Pass-the-Hash (PtH) and Kerberoasting

Pass-the-Hash (PtH) and Kerberoasting are advanced techniques specifically targeting enterprise Active Directory environments. In a PtH attack, an adversary extracts the NTLM hash of a user’s password from a compromised machine’s memory using tools like Mimikatz. They then use this hash to authenticate to other network resources without ever needing to crack the plaintext password.

Kerberoasting targets service accounts. Any authenticated domain user can request a Kerberos service ticket for a Service Principal Name (SPN). The attacker extracts this ticket and takes it offline, attempting to crack the service account’s password hash at their leisure. Because service accounts often have high privileges and rarely change their passwords, they are prime targets.

Defending against these lateral movement techniques requires strict control over privileged accounts. Adhere to the principle of least privilege. Passwork allows teams to securely manage shared administrative passwords using a Role-Based Access Control (RBAC) model, ensuring that critical hashes are not compromised due to careless storage. Monitor network traffic for unusual Kerberos ticket requests. Transition to Group Managed Service Accounts (gMSAs), which automatically rotate complex passwords, eliminating the risk of offline Kerberoasting.

12. AI-powered password guessing

Artificial Intelligence has fundamentally altered the password cracking landscape. Tools like PassGAN use Generative Adversarial Networks (GANs) trained on massive datasets of leaked credentials. Instead of relying on static wordlists or rigid mutation rules, these neural networks learn the underlying psychology of how humans construct passwords. They generate statistically likely candidates with terrifying accuracy.

When AI generation is combined with high-speed hashing tools like Hashcat, the overall success rate of cracking campaigns increases dramatically. AI tools complement traditional methods, filling the gaps where dictionary rules fail.

Defense against AI-powered guessing requires passwords that lack human patterns entirely. Organizations must mandate the use of password managers to generate and store passwords of 15 or more characters with true cryptographic randomness. Combine this with robust MFA and continuous breached password monitoring to mitigate the threat of AI-generated guesses.

How hackers prioritize their targets

Attackers operate with a clear economic model, prioritizing techniques based on efficiency, scale, and the value of the target. Credential stuffing and phishing are the preferred methods for mass exploitation. Because stolen credentials sell for as little as $10 on criminal markets, the return on investment for automated stuffing campaigns is exceptionally high.

When attackers acquire a database of hashed passwords, they turn to dictionary attacks and AI-powered guessing, reserving resource-intensive brute force attacks for high-value administrative accounts. Infostealer malware is deployed selectively against targets likely to yield access to corporate networks, cryptocurrency assets, or proprietary source code.

Time is always on the attacker’s side. Check Point found that organizations take an average of 94 days to remediate compromised credentials exposed in GitHub repositories. Attackers exploit this window aggressively, using automated scripts to validate and weaponize leaked secrets within minutes of exposure. Understanding this prioritization helps defenders allocate their resources effectively, focusing on the attack vectors that present the highest statistical risk.

How to protect your organization against password cracking

Securing an enterprise against modern password cracking requires a comprehensive, layered defense strategy. Technical controls must align with human behavior to create a resilient authentication environment.

1. Enforce strong, unique passwords
   Length matters more than complexity. Following NIST SP 800-63B guidance, organizations should require passwords of at least 12 characters. Because humans cannot memorize dozens of long, random strings, provide an enterprise password manager to generate and store truly random credentials for every service.
2. Deploy Multi-Factor Authentication (MFA)
   MFA is mandatory, but not all MFA is equal. Prioritize phishing-resistant authentication methods like FIDO2 security keys or passkeys. Move away from SMS-based One-Time Passwords (OTPs), which are highly vulnerable to SIM swapping and AiTM proxy attacks.
3. Monitor for breached credentials
   The Verizon 2025 DBIR notes that only 3% of passwords meet NIST complexity requirements. Organizations must continuously check employee passwords against known breach databases. If a credential appears in a public dump, the system should force an immediate reset.
4. Implement privileged access management
   Protect service accounts and shared credentials, which are the primary targets for lateral movement attacks like Pass-the-Hash and Kerberoasting. Restrict administrative access and log all privileged sessions.
5. Conduct security awareness training
   Social engineering and phishing remain the most common initial access vectors. Regular, contextual training and simulated phishing tests measurably reduce employee susceptibility to credential harvesting lures.
6. Deploy a centralized enterprise password manager
   Security policies work effectively when employees have convenient tools to follow them. Implementing an enterprise password manager like Passwork solves the human factor problem.

Passwork provides teams with an encrypted vault featuring granular Role-Based Access Control (RBAC), detailed audit logs, and seamless Active Directory/SSO integration. For companies with strict compliance requirements, Passwork offers an on-premise version, allowing organizations to host all encrypted data exclusively on their own servers and eliminate the risks associated with cloud breaches.

Conclusion

The threat landscape has shifted fundamentally. Password cracking has evolved from a niche technical skill into an industrialized, AI-assisted, and MaaS-enabled attack category. The 2025 data is unambiguous: stolen credentials drive the vast majority of corporate breaches, and the tools available to attackers have never been more powerful or accessible. Relying on outdated complexity rules and manual password management is a guaranteed path to compromise.

The most effective organizational response requires a holistic approach. It combines strong password hygiene, phishing-resistant MFA, continuous breach monitoring, and a centralized password management platform.

Are you ready to protect your corporate infrastructure against modern cracking techniques? Discover how Passwork helps enterprise teams securely store, generate, and manage corporate passwords with complete control over their data.

Frequently asked questions

The 2025 small business cybersecurity checklist: A complete guide | Passwork

Passwork’s 2025 cybersecurity checklist, based on the NIST framework, provides actionable steps to prevent data breaches and financial loss.

Passwork BlogEirik Salmi

Passwork 7.1: Vault types

Vault types Passwork 7.1 introduces a robust vault types architecture, providing enterprise-grade access control for enhanced security and management. Vault types address a key challenge for administrators: controlling data access and delegating vault management across large organizations. Previously, the choice was limited to two types. Now, you can create

Passwork BlogEirik Salmi

Passwork 7: Security verified by HackerOne

Passwork has successfully completed the penetration testing, carried out by HackerOne — the world’s largest platform for coordinating bug bounty programs and security assessments. This independent evaluation confirmed Passwork’s highest level of data protection and strong resilience against modern cyber threats. What the pentest covered Security architecture and data

Passwork BlogEirik Salmi

Cryptography is both beautiful and terrifying. Perhaps a bit like your ex-wife. Despite this, it represents a vital component of day-to-day internet security; without it, our secrets kept in the digital world would be exposed to everyone, even your employer. I doubt you’d want information regarding your sexual preferences to be displayed to the regional sales manager while at an interview with Goldman Sachs, right?

Computers are designed to do exactly what we ask them to do. But sometimes there are certain things that we don’t want them to do, like expose your data through some kind of backdoor. This is where cryptography comes into play. It transforms useful data into something that can’t be understood without the proper credentials.

Let’s take a look at an example. Most internet services need to store their users’ password data on their own servers. But they can’t store the exact values that people input on their devices because, in the event of a data breach, malevolent intruders would effectively gain access to a simple spreadsheet of all usernames and passwords.

This is where ‘Hash’ and ‘Salt’ help us a lot. Throughout this article, we’re going to explain these two important encryption concepts through simple functions in Node.JS.

What is a ‘hash’?

A ‘hash’ literally means something that has been chopped and mixed, and originally was used to describe a kind of food. Now, chopping and mixing are exactly what the hash function does! You start with some data, you pass it through a hash function where it gets whisked and chopped, and then you watch it get transformed into a fixed-length value (which at first sight seems pretty meaningless). The important nuance here is that, contrary to cooking, an input always produces a corresponding output. For the purposes of cryptography, such a hash function should be easily computable and all values should be unique. It should work in a similar way to mashing potatoes – mashing is a one-way process; the raw potato may not be restored once it has been mashed. Indeed, the result of a hash function should be impenetrable to computer-led reverse engineering efforts.

These properties come in handy when you’re looking to store user passwords on a database – you don’t want anyone to know their real values.

Let’s implement a hash in Node.JS!

First, let’s import the createHash function from the built-in ‘crypto’ module:

const { createHash } = require ('crypto');

Next, we ought to define the module that we’re naming as the ‘hash’ (which takes a string as the input, and returns a hash as the output):

function hash(input) {
    return createHash();
}

We also need to specify the hashing algorithm that we want to use. In our case, it will be SHA256. SHA stands for Secure Hash Algorithm and it returns a 256-bit digest (output). It is important to architect your code so it is easy to switch between algorithms because at some point in time they won’t be secure anymore. Remember, cryptography is always evolving.

function hash(input) {
    return createHash('sha256');
}

Once we call our hashing function, we may call ‘update’ with the input value and return the output by calling ‘digest’. We should also specify the format of the output (e.g. hex). In our case, we’ll go with Base64.

function hash(input) {
    return createHash('sha256').update(input).digest('base64');
}

Now that we have our hash function, we can provide some input, and console log the result.

let youShallNotPassPass = 'admin1234';
const hashRes1 = hash(youShallNotPassPass);
console.log(hashRes1)

Here’s our baby hash:
rJaJ4ickJwheNbnT4+I+2IyzQ0gotDuG/AWWytTG4nA=

So, how can we use this long, convoluted string of numbers, letters, and symbols? Well, now it’s easy to compare two values while operating with only hashes.

let youShallNotPassPass = 'admin1234';
const hashRes1 = hash(youShallNotPassPass);
const hashRes2 = hash(youShallNotPassPass);
const isThereMatch = hashRes1 === hashRes2;
console.log(isThereMatch ? 'hashes match' : 'hashes do not match’)

As long as hash values are unique object representations, they can be useful for object identification. For example, they might be used to iterate through objects in an array or find a specific one in the database.

But we have a problem. Hash functions are very predictable. On top of that, people don’t use strong passwords that often, so the hacker may just compare the hashes on a database with a precomputed spreadsheet of the most common passwords. If the values match – the password is compromised.

Because of this, it’s insufficient to just use a hash function to store unique ids on a password database.

And that’s where our second topic makes an entrance – Salt.

‘Salt’ is a bit like the mineral salt that you would add to a batch of mashed potatoes – the taste will definitely depend on the amount and type of salt used. This is exactly what salt in cryptography is – random data that is used as an additional input to a hash function. Its use makes it much harder to guess what exact data stands behind a certain hash.

So, let’s salt our hash function!

First, we ought to import ‘Scrypt' and ‘RandomBytes’ from the ‘crypto’ module:

const { scryptSync, randomBytes } = require('crypto');

Next, let’s implement signup and login functions that take ‘nickname’ and ‘password’ as their inputs:

function signup(nickname, password) { }
function login(nickname, password) { }

When the user signs up, we will generate a salt, which is a random Base64 string:

const salt = randomBytes(16).toString('base64');

And now, we hash the password with a 'pinch' of salt and a key length, which is usually 64:

const hashedPassword = scryptSync(password, salt, 64).toString('base64');

We use ‘Scrypt’ because it’s designed to be expensive computationally and memory-wise in order to make brute-force attacks unrewarding. It’s also used as proof of work in cryptocurrency mining.

Now that we have hashed the password, we need to store the accompanying salt in our database. We can do this by appending it to the hashed password with a semicolon as a separator:

const user = { nickname, password: salt + ':' + hashedPassword}

Here’s our final signup function:

function signup(nickname, password) {
    const salt = randomBytes(16).toString('base64');
    const hashedPassword = scryptSync(password, salt, 64).toString('base64');
    const user = { nickname, password: salt + ':' + hashedPassword};
    users.push(user);
    return user;
}

Now let’s create our login function. When the user wants to log in, we can grab the salt from our database to recreate the original hash:

const user = users.find(v => v.nickname === nickname);
const [salt, key] = user.password.split(':');
const hash = scryptSync(password, salt, 64);

After that, we simply check whether the result matches the hash in our database. If it does, the login is successful:

const match = hash === key;
return match;

Here is the complete login function:

function login(nickname, password) {
    const user = users.find(v => v.nickname === nickname);
    const [salt, key] = user.password.split(':');
    const hash = scryptSync(password, salt, 64).toString('base64');
    const match = hash === key;
    return match;
}

Let’s do some testing:

//We register the user:
const user = signup('Amy', '1234');

//We try to login with the wrong pass:
let isSuccess = login('Amy', '12345');
console.log(isSuccess ? 'Login success' : 'Wrong password!')

//Wrong password!
//We try to login with the correct pass:
isSuccess = login('Amy', '1234')
console.log(isSuccess ? 'Login success' : 'Wrong password!')

//Login success

Our example, hopefully, has provided you with a very simplified explanation of the signup and login process. It’s important to note that our code is not protected against timing attacks and it doesn’t use PKI infrastructure to check hashes, so there are plenty of vulnerabilities for hackers to exploit.

Cryptography itself can be described as the constant war between hackers and cryptographic engineers. Or, that familiar legal battle with your ex-wife over her maintenance payments. After all, what works today may not work tomorrow. A proof of MD5 hash algorithm vulnerability is a very good example.

So if your task is to ensure your users’ data privacy, be ready to constantly update your functions to counteract the recent ‘breakthroughs’.

Python connector 0.1.5: Automated secrets management

The new Python connector version 0.1.5 expands CLI utility capabilities. We’ve added commands that solve critical tasks for DevOps engineers and developers — secure retrieval and updating of secrets in automated pipelines. What this solves Hardcoded secrets, API keys, tokens, and database credentials create security vulnerabilities and operational bottlenecks.

Passwork BlogEirik Salmi

How secure are smart home devices?

Are you sure that your home is protected in the way that you think? Sure, you can secure it with modern locks or an alarm system to protect yourself from robbers who want to steal your money or furniture, but what about those who are looking at your home as

Passwork BlogIliya Garakh, CTO

Insider threats: Prevention vs. privacy

Insider threats are a major cybersecurity risk, often overlooked. Prevention requires balancing trust and security focus on monitoring risk-based behaviors, not constant surveillance. Use AI for early detection, educate staff, and be transparent to foster trust while protecting data.

Passwork BlogIliya Garakh, CTO