Certified: The Security+ Prepcast

Passwords are often the first—and sometimes only—barrier between an attacker and a user’s data. Yet time and time again, poor password practices are exploited in breaches, ransomware campaigns, and credential stuffing attacks. That’s why secure password management remains a core pillar of cybersecurity. In this episode, we’ll review essential password best practices, explore the use of password managers, and discuss how organizations are starting to move beyond passwords entirely with passwordless authentication.
Let’s begin with password best practices. These guidelines aren’t just recommendations—they’re proven techniques to reduce risk and make it harder for attackers to gain access.
The first principle is length. Longer passwords are exponentially harder to crack using brute force or dictionary attacks. While many systems used to require a minimum of eight characters, current best practices suggest a minimum of twelve—and even more for administrative or sensitive accounts.
Next is complexity. Complexity means using a combination of uppercase and lowercase letters, numbers, and special characters. This increases the number of possible combinations and makes the password harder to guess. However, complexity should not come at the expense of usability. A long, memorable passphrase—like “RedCanoeRunsFast!”—is often more secure and user-friendly than something like “R7@t1X#z”.
Password reuse is another major concern. If users reuse the same password across multiple sites or services, a breach at one provider can compromise many accounts. Attackers frequently use stolen credentials in automated attacks called credential stuffing—trying the same username and password on dozens of platforms. That’s why each account should have a unique password.
Expiration policies have traditionally required users to change passwords every 60 or 90 days. However, research shows that forced, frequent changes often result in weaker passwords or predictable patterns. Instead of routine expiration, the focus should be on detecting password compromise and requiring resets when needed. This includes implementing breach detection tools and multifactor authentication to reduce dependence on the password alone.
Password age is related. If a password hasn’t been changed in years—and the account hasn’t used multifactor authentication—it may be vulnerable to exposure. High-value accounts should have their passwords reviewed or rotated on a reasonable schedule and after key events like job changes, system updates, or suspected compromise.
Let’s look at a real-world example. A small law firm suffers a breach after an attacker logs in using a paralegal’s email credentials. The password had been reused from a previous job and was exposed in a public breach months earlier. No multifactor authentication was in place, and the password had not been changed in over a year. Once inside, the attacker exfiltrates client documents and case notes. This breach could have been prevented with stronger password hygiene and regular checks for compromised credentials.
Now let’s turn to password managers. These tools allow users to store, generate, and autofill complex passwords across devices. Instead of remembering dozens of unique passwords, users only need to remember one strong master password. The password manager does the rest—creating long, random, and unique credentials for each site or service.
Password managers reduce the temptation to reuse passwords or store them in unsafe locations—like spreadsheets, notepads, or browser autofill tools. Many also offer alerts for reused or compromised passwords, password strength scoring, and integration with breach databases.
Let’s consider a practical scenario. A marketing team adopts a password manager to store shared credentials for design tools, content platforms, and social media accounts. Each login is protected by a unique password, and access to the manager requires multifactor authentication. If a team member leaves the company, their access to the vault is revoked immediately. This centralizes control, improves password hygiene, and supports onboarding and offboarding securely.
When implementing password managers, organizations should choose tools with end-to-end encryption, zero-knowledge architecture, and enterprise controls. Administrators should be able to enforce policies, reset accounts, audit access, and monitor for suspicious behavior. Employees should receive training on creating strong master passwords, enabling multifactor authentication, and safely using password manager browser extensions or mobile apps.
Now let’s look ahead—to passwordless authentication. This approach removes passwords from the login process entirely, replacing them with more secure and user-friendly methods. Common passwordless technologies include biometrics, push notifications, hardware security keys, one-time codes, and certificate-based authentication.
The benefits of going passwordless are clear: no more password resets, no more credential stuffing, and no more phishing for credentials that don’t exist. Instead, users authenticate with a trusted device or biometric factor—something that’s much harder to steal or guess.
Let’s explore a real-world example. A software company transitions to passwordless logins using FIDO2 security keys and biometric authentication. Developers log in using a fingerprint scan on their laptop or a tap of a USB security key. The login is fast, secure, and resistant to phishing. No passwords are stored, and access is linked to the physical device and user presence.
Another approach is to use a mobile authenticator app. When a user attempts to log in, they receive a push notification on their phone. Tapping “approve” completes the login, while denying the request prevents access. This adds a strong possession factor and eliminates the password entirely.
Passwordless authentication does require investment. Systems must be updated to support protocols like WebAuthn, users must register devices, and backup methods must be available in case a device is lost. But as phishing attacks increase and password fatigue worsens, many organizations see passwordless as the future of identity security.
It’s important to note that going passwordless is a journey, not a switch. Many environments start by reducing the number of password-based logins, integrating passwordless options into Single Sign-On platforms, and moving high-risk accounts to passwordless first. Over time, the goal is to eliminate passwords where feasible while maintaining strong authentication and user experience.
To summarize, secure password management starts with enforcing best practices—length, complexity, uniqueness, and informed policies around expiration. Password managers help users maintain strong, unique credentials across systems, while reducing the risks of reuse and poor storage. And passwordless authentication offers a path forward—replacing passwords with smarter, stronger, and more user-friendly methods that reduce risk and support zero trust architectures.
For the Security Plus exam, expect questions about password policy, storage, reuse risks, and when to use password managers. You may also see questions about passwordless protocols, authentication factors, and how to balance user convenience with security. Review terms like TOTP, password vault, credential reuse, master password, and WebAuthn—they’re all testable and tied directly to current identity security practices.
For more help preparing for the exam, visit us at Bare Metal Cyber dot com. You’ll find additional podcast episodes, downloadable tools, and a free newsletter to support your study goals. And when you're ready to master every domain of the Security Plus exam, go to Cyber Author dot me and get your copy of Achieve CompTIA Security Plus S Y Zero Dash Seven Zero One Exam Success. It’s the fastest and most efficient way to build confidence and pass the test.