After years of managing passwords for client projects at Šikulovi s.r.o., I've learned the hard way that 'clever' passwords are actually the weakest. A client account breach in 2018 taught me why truly random passwords matter.
Back in 2018, I thought I was being smart. My password system was beautiful: take a memorable phrase, replace letters with numbers, add the site name at the end. Something like 'P@ssw0rd_GitHub' felt secure because I could remember it and it looked complex. Then one of my client accounts got compromised.
The thing is, attackers don't sit there typing passwords manually. They use dictionaries with millions of common substitutions already included. My 'clever' system was in those dictionaries. P@ssw0rd? First thing they try. Adding a site name? They script that too.
That breach taught me something important: human-generated passwords feel secure but aren't. We're predictable. We use patterns. And attackers know every pattern we think we invented.
Entropy measures how unpredictable a password is. Higher entropy means more possible combinations an attacker must try. It's measured in bits - each bit doubles the number of possibilities.
A truly random 12-character password using uppercase, lowercase, numbers, and symbols has about 79 bits of entropy. That's roughly 604 sextillion possible combinations. Your 'clever' password with predictable patterns? Maybe 20-30 bits at best.
I use the Password Generator to create passwords with at least 80 bits of entropy. The math is simple: more randomness equals more security. No cleverness required.
Here's my honest take: you cannot securely manage passwords without a password manager. I tried for years. I used my 'system'. I reused passwords across sites. I wrote them in notebooks. All terrible ideas.
Now I use a password manager for everything. Each site gets a unique, randomly generated password. I only need to remember one strong master password. The password manager remembers the other 200+.
When people tell me they don't trust password managers, I ask them: do you trust your memory more? Do you trust that notebook in your desk drawer? The answer is always no when they think about it.
For my master password and a few other critical accounts, I use passphrases instead of random characters. A passphrase like 'correct-horse-battery-staple' is easier to type and remember while still being secure - if the words are truly random.
The key word is random. 'I love my dog fluffy' is not a secure passphrase because it's a natural phrase. But four random dictionary words? That's 44+ bits of entropy per word if chosen properly.
I use random character passwords for accounts I'll only access through my password manager, and passphrases for the few I need to type manually. The Password Generator supports both approaches.
Even developers who should know better make these mistakes. I review client security practices regularly, and these patterns keep appearing.
The worst offender? Password reuse. I get it - you have a 'secure' password and you trust it. But when one service gets breached (and they will), attackers try that password everywhere. LinkedIn breach in 2012? Those passwords are still being used to access other accounts today.
Second worst: using personal information. Your dog's name, your birthday, your anniversary - all public information for anyone who looks at your social media. These aren't secure no matter how you arrange them.
My workflow is simple now - completely different from my pre-2018 approach. For new accounts, I open CodeUtil's Password Generator (yes, I built this tool specifically because I needed something I could trust), set it to 20+ characters with all character types enabled, generate, and save directly to my password manager. The whole process takes 10 seconds.
For accounts I need to type occasionally (like my laptop login), I generate a passphrase using random words. I'll generate a few options until I find one that's memorable enough without being predictable.
I never try to make passwords 'make sense'. The moment I start thinking 'this would be easier to remember if...' - that's the moment I'm introducing patterns that weaken security. Random means random.
After all my research and that painful experience in 2018, secure passwords come down to three things: length, randomness, and uniqueness. Length provides the entropy. True randomness ensures no patterns to exploit. Uniqueness means one breach stays contained.
The Password Generator handles the first two automatically. Your password manager handles the third by making unique passwords practical to use. Together, they solve the password problem completely.
Honestly, password security isn't complicated anymore. We've had the tools for years. The only thing stopping most people is habit and the false belief that their 'clever system' is secure enough. It isn't - I learned that lesson the hard way. Use random passwords, use a manager, and stop worrying about it.
I use 16+ characters minimum for regular accounts, 20+ for anything financial or sensitive. Honestly, with a password manager there's no reason not to use 24 or more - that's what I do for client credentials at Šikulovi s.r.o.. Length is the single biggest factor in password security.
It depends on length. A 4-word passphrase is roughly equivalent to a 12-character random password. I use passphrases when I need to type something manually, random strings for everything else. Both work if done correctly.
The old advice was every 90 days - I used to follow that religiously. Modern guidance says only change them if there's a breach or you suspect compromise. Frequent changes lead to weaker passwords because people use patterns. Use strong unique passwords and change only when necessary.
Good password managers encrypt your vault with your master password before it leaves your device. Even if their servers are breached, attackers get encrypted blobs they can't read. That's why your master password must be extremely strong - it's the one password you need to remember.
I used to think so, but no. 'Unimportant' accounts often have your email and other data that can be used to compromise important accounts. Plus, you might upgrade that account later - like when that free tool you tried becomes essential for work.
Biometrics are great as a second factor, but not as a replacement. You can't change your fingerprint if it's compromised. I use fingerprint to unlock my password manager, but the manager still requires my master password periodically and after restarts.
Founder of CodeUtil. Web developer building tools I actually use. When I'm not coding, I experiment with productivity techniques (with mixed success).
Learn the critical differences between escaping and parameterized queries for SQL injection prevention. Understand why parameterization is the gold standard for database security.
Learn how JWT claims work, explore registered, public, and private claims, and discover security best practices for implementing JSON Web Tokens in your applications.
After pasting sensitive API responses into random online tools for years, I finally did a proper comparison. Here's what I actually use now and why privacy matters more than features.