BiTree
  • Search For Lessons
  • Curriculum
  • Pricing
  • For Educators
  • Become a Tutor
  • About
  • Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
BiTree

Live coding lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Search For Lessons
  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Become a Tutor
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 BiTree. All rights reserved.
Curriculum/Cybersecurity/Password Attacks and Credential Security/Password Managers and Credential Hygiene
35 minBeginner

Password Managers and Credential Hygiene

After this lesson, you will be able to: Explain why humans are bad at passwords, how password managers and passkeys work, and apply developer-specific credential hygiene.

The defensive counterpart to the attack lesson. We cover why human password habits fail, how password managers work, passkeys (FIDO2) as a phishing-resistant replacement for passwords, and credential hygiene specifically for developers handling service credentials.

Prerequisites:Brute Force and Password Attacks with Hydra

Why humans are bad at passwords

People cannot remember many strong, unique passwords, so they reuse them, pick predictable patterns (a word plus a year plus a symbol), and modify one base password slightly per site. Attackers know all of this; wordlists and rules encode exactly these human tendencies. The fix is not 'try harder to remember,' it is to stop relying on human memory at all.

Password managers

A password manager generates and stores a unique, long, random password for every site, locked behind one strong master password (and ideally MFA). You remember one secret; the manager handles the rest. Cloud-synced managers (Bitwarden, 1Password) sync across devices; local ones (KeePassXC) keep the vault file under your control. The master password protects everything, so it must be strong and never reused. This single habit eliminates password reuse and the credential-stuffing risk that comes with it.

Passkeys: the phishing-resistant future

Passkeys implement the FIDO2/WebAuthn standard. Instead of a shared secret, your device holds a private key and the site holds the matching public key; logging in proves you control the private key without ever sending a password. Passkeys are phishing-resistant because the credential is cryptographically bound to the real site's origin, so a fake login page cannot capture anything reusable. They also cannot be leaked in a server breach the way password hashes can. Adoption is growing fast across major platforms.

💡 Developer credential hygiene

Developers hold powerful credentials, so the bar is higher. Separate work and personal accounts. Rotate API keys regularly and the moment one might be exposed. Store service credentials in a password manager or secrets manager, never in code, chat, or a shared doc. Never share credentials over Slack or email; use proper secret-sharing or per-user access. Put MFA on everything that supports it, especially cloud consoles, the domain registrar, and source control.

Quick Check

Why are passkeys phishing-resistant in a way that passwords (even strong ones) are not?

Pick one.

Common mistakes only experienced practitioners catch

A weak or reused master password, which undoes the whole manager. No MFA on the password manager or email (the email resets everything else). Storing API keys in a notes app or chat instead of the vault. Sharing a single team login instead of per-user access. Thinking SMS MFA is as strong as a passkey or hardware key. Never rotating long-lived credentials.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Brute Force and Password Attacks with Hydra
Back to Password Attacks and Credential Security
Credential Security Job Readiness→