The Bitwarden Blog
Developers Weigh in on Password Best Practices
Developers comprise a special breed of inquisitive problem-solvers, codewriters, thinkers, and creators. Their deep systems knowledge gives them an acute awareness of cyberthreats that helps them protect themselves and often the rest of us from a wide range of cybercriminal activities, from data breaches to identity theft.
Who better, then, to share password security advice? Bitwarden posed this question to its own community of developers: “What do you know about password security that you'd like others to know as well?”
Here's what they said.
One user from the Bitwarden Reddit community writes, “Always implement MFA wherever possible. Don’t rely on passwords alone.”
MFA requires individuals to provide two or more forms of identification to access a digital account, system, or other confidential resources. This approach avoids identifying someone by a single credential, like a password, which on its own is more vulnerable. MFA makes penetrating cybersecurity defenses more difficult and time-consuming, helping deter bad actors.
There are four authentication types you can combine to implement MFA:
Something the user knows
Something the user has
Something physically unique to the user (like a fingerprint)
Something that ties an access device to a geolocation associated with the user
Password generators and diceware programs are great resources for selecting strong passwords that combine length, complexity, and randomness. There are, however, different philosophies on how to use these programs to create random passwords. For example, if you keep generating passwords until you find one you “like,” is that really random? Some argue no. Others say that the strength of a password “is not dependent on whether it has been chosen or passed over.”
Either way, developers agree: Randomness is important when creating a strong password, and the more random it is, the harder it is to crack.
Peppering is a method of cryptography that acts as an additional layer of defense for securing passwords. To pepper passwords, you’ll add a secret value (an extra string of characters) before or after the actual password when logging in. When peppering, It’s important to store the secret value in a location other than the password manager. This ensures that even if someone had access to the main password, they likely do not have access to the pepper.
One member in Reddit also observes, “Nine out of 10 times, solves people's problem with trusting password managers.”
Here’s an example
Your real password: 78#akUy!vbs2
What you have in your password manager: 78#akUy!
vbs2 is your pepper, add it when you log in
Extra long passwords can sometimes get in the way if individuals ever need to manually enter them. One member on Reddit says that “exceeding 20 characters is rarely, if ever, needed, and the only person you'll keep out at those higher character counts is yourself.”
To avoid being locked out of an account for too many login attempts, select passwords that are long but not so lengthy that typing them accurately is a challenge. Tip: Passphrases, a random collection of words, can be easier to remember!
If best practices aren’t easily achievable, people may skip security altogether. One member of the Bitwarden Community Forums points out that while the idea of using a password book to record passwords is often frowned upon, doing so might be recommended depending on the user’s threat model and accessibility needs:
“As an example, elderly users who are not as technically savvy or feel overwhelmed by their computers are also the kind who would to use a password manager or to have excellent recall of their passwords/passphrases. Writing them down in a password book… and putting it away in a secure location (like a locked desk drawer or cabinet) is better than a user that reuses passwords that could lead to credential stuffing. The exposure of a user’s credentials in that scenario will be…fairly limited, making them less prone to use the same password over and over again.”
It’s common knowledge that password managers help individuals and businesses secure passwords, but they can also be used to identify fraudulent websites. A member in the Bitwarden Fosstodon community notes:
“A password manager helps avoid entering your credentials in a fake website, because the autofill option isn't available. It's enough to make you stop and realize you're probably not looking at a valid site.”
“Your security practices only work until somebody figures out how to break them,” notes one Reddit community member. The member advises always using the latest features added to your password manager and following security-minded chat groups to help stay current on the latest best practices.
Ready to implement your own cybersecurity best practices? Try the open-source password manager trusted by tens of thousands of businesses and millions of end users globally. Quickly get started with a free personal account or sign up for a 7-day business trial.
On this page
Back to Blog