Modern password security for system designers

This guide describes and models modern password guidance and recommendations for designers and engineers who create secure online applications. A related guide, Modern password security for users, offers guidance for end users. This guide covers the wide range of options to consider when building a password-based authentication system. It also establishes a set of user-focused recommendations for password policies and storage, including the balance of password strength and usability.

The technology world has been trying to improve on the password since the early days of computing. Shared-knowledge authentication is problematic because information can fall into the wrong hands or be forgotten. The problem is magnified by systems that don't support real-world secure use cases and by the frequent decision of users to take shortcuts.

According to a 2019 Yubico/Ponemon study, 69 percent of respondents admit to sharing passwords with their colleagues to access accounts. More than half of respondents (51 percent) reuse an average of five passwords across their business and personal accounts. Furthermore, two-factor authentication (2FA) is not widely used, even though it adds protection beyond a username and password. Of the respondents, 67 percent don't use any form of 2FA in their personal life, and 55 percent don't use it at work.

Password systems designed for modern applications might also allow, or even encourage, users to use insecure passwords. Systems that allow only single-factor credentials and that implement ineffective security policies add to the problem. Arbitrary and inconsistent rules allow users to handle their passwords insecurely, and password recovery systems can leave the user and the application vulnerable to threat categories they might not have considered.


This document outlines:

  • Trusted sources of thoughtful and researched information about password security
  • Recommendations for engineers who design password management systems
  • Common anti-patterns and urban legends around password security
  • Topics for additional research

To read the full white paper, click the button:

Download the PDF