IMPROVING PASSWORD POLICY AND USING MODERN PASSWORD MANAGERS TO ENHANCE CYBER RESILIENCE OF INFORMATION AND COMMUNICATION SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2026.32.1114Keywords:
authentication, passwordless authentication methods, password length, password entropy, password manager, passwords, password policyAbstract
The article presents a comprehensive study of current password policy issues in modern information and communication systems. It is substantiated that in the face of rapid computer technology development and the growing computing capabilities of cyber adversaries, traditional authentication methods require a significant overhaul. The authors identify key shortcomings of existing approaches, including the use of outdated hashing algorithms, the complexity of implementing multi-factor authentication (MFA) across all workstations, and the critical impact of the human factor (password reuse, storing credentials in plaintext).
Particular attention is paid to the analysis of password entropy as the primary indicator of resistance to brute-force attacks. The paper provides a classification of entropy levels based on the sensitivity of the protected information: from 40–64 bits for public data to over 112–128 bits for critical infrastructure objects and restricted access information. The authors demonstrate that the use of modern graphics processing units (e.g., NVIDIA RTX 4090) allows attackers to crack weak passwords (based on MD5 or SHA-1) in mere minutes, making the transition to long and complex password combinations vital for security.
It is proven that meeting the requirements of modern password policies is practically impossible for the average user without the use of specialized software. In this regard, the functional capabilities and security architecture of leading password managers – 1Password, Bitwarden, and LastPass – are analyzed in detail. Their encryption algorithms (AES-256, Argon2id, PBKDF2) and the "zero-knowledge" concept, which guarantees that only the master password holder can access the data, are thoroughly examined.
The article proposes recommendations for selecting the optimal password length depending on the character set used to achieve target entropy indicators. The authors emphasize that the implementation of automated password management tools combined with multi-factor authentication is a fundamental condition for strengthening national security and increasing the cyber resilience of information and communication systems of state organizations and institutions.
Downloads
References
Shtonda, R., Palamarchuk, S., Bokii, O., Tereshchenko, T., & Chernysh, Y. (2025). Comprehensive methodology for evaluating functional capabilities of antivirus software. Cybersecurity: Education, Science, Technique, 4(28), 375–384. https://doi.org/10.28925/2663-4023.2025.28.813
National Institute of Standards and Technology. (2017). Digital identity guidelines: Authentication and lifecycle management (NIST Special Publication 800-63B). https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf
Skladannyi, P. M., et al. (2025). GDPR methods for ensuring data storage security against leaks and threats. Telecommunication and Information Technologies, 2, 59–76. https://doi.org/10.31673/2412-4338.2025.027860
Buriachok, V. L., Anosov, A. O., Semko, V. V., Sokolov, V. Y., & Skladannyi, P. M. (2019). Technologies for ensuring network infrastructure security. Kyiv: Borys Grinchenko Kyiv University.
Chick3nman. (n.d.). Hashcat v6.2.6 benchmark on the Nvidia RTX 4090. https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd
Liu, Z. (n.d.). Nvidia’s flagship gaming GPU can crack complex passwords in under an hour. Tom’s Hardware. https://www.tomshardware.com/pc-components/gpus/nvidias-flagship-gaming-gpu-can-crack-complex-passwords-in-under-an-hour
State Service of Special Communications and Information Protection of Ukraine. (1999). ND TZI 1.1-003-99: Terminology in the field of information protection in computer systems against unauthorized access.
OWASP Foundation. (n.d.). Password storage cheat sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
ArXiv. (n.d.). Evaluating Argon2 adoption and effectiveness in real-world software. https://arxiv.org/html/2504.17121
Internet Engineering Task Force. (2021). RFC 9106: Argon2 memory-hard function for password hashing and proof-of-work applications. https://datatracker.ietf.org/doc/rfc9106/
Shtonda, R. M. (2025). The impact of password length on entropy according to modern standards. In Global trends in science and education: Proceedings of the IX International scientific and practical conference (pp. 238–241). https://sci-conf.com.ua/ix-mizhnarodna-naukovo-praktichna-konferentsiya-global-trends-in-science-and-education-22-24-09-2025-kiyiv-ukrayina-arhiv/
State Service of Special Communications and Information Protection of Ukraine. (n.d.). What are password managers and how do they work? https://cip.gov.ua/ua/faqs/sho-take-menedzheri-paroliv-yak-voni-pracyuyut
1Password. (n.d.). Password manager & extended access management. https://1password.com/
Bitwarden. (n.d.). Password manager for business, enterprise & personal use. https://bitwarden.com/
LastPass. (n.d.). Password manager & vault application. https://www.lastpass.com/password-manager
Tucha.ua. (n.d.). How to use KeePass easily. https://tucha.ua/uk/blog/instructions/yak-lehko-korystuvatysya-keepass
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Роман Штонда, Роман Зозуля, Олена Бокій
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
