Let me guess your password strategy.
You have a "base" password — something memorable, maybe with a capital letter and a number at the end — and you reuse it across most sites with minor variations. MyDog2019! here, MyDog2019# there. Maybe you add the site name somewhere: MyDogNetflix2019!. Feels secure because it's complex. Feels manageable because you can actually remember it.
This strategy is broken. Not "slightly suboptimal" broken. Actually broken, in ways that have real consequences.
Here's why — and more importantly, here's what the alternative actually looks like in practice.
The Problem With Memorable Passwords
Memorable passwords have one fatal flaw: they're guessable. Not necessarily by someone who knows you personally, but by the automated systems that attackers use to crack passwords at scale.
When a database gets breached — and breaches happen constantly, to companies you've definitely used — the stolen password hashes get fed into cracking tools that try billions of combinations per second. These tools don't guess randomly. They use wordlists, common patterns, known password formats, and permutations of all of the above.
MyDog2019! isn't in a wordlist literally. But "common word + year + symbol" is absolutely a pattern these tools know about. They'll try every word in a dictionary combined with every year from 1950 to 2030 combined with every common symbol. Your password gets cracked. And because you reused variations of it, multiple accounts go down at once.
The other problem: sites you used five years ago that got breached five years ago are still circulating in credential dumps. Your old password — even if you've changed it on the big sites — might still be working credentials on some forum you signed up for once and forgot about. Attackers try those credentials against every major service automatically. This is called credential stuffing, and it works surprisingly often.
What "Actually Secure" Looks Like
A genuinely secure password has three properties:
Long. Length beats complexity every time. correct-horse-battery-staple is harder to crack than P@ssw0rd! despite being easier to type, purely because of length. The math on brute force attacks makes longer passwords exponentially harder to crack regardless of character set. Most security researchers now recommend 16+ characters as a minimum for anything important.
Random. Not "random-ish" — actually random. Human-generated "random" passwords have patterns. We gravitate toward certain characters, avoid others, put numbers at the end, capitalize the first letter. Real randomness comes from a cryptographically secure random number generator, not from a human trying to think of something unpredictable.
Unique. One password per site, no exceptions. This is the one people resist most because it seems impossible to manage. It's not impossible — it just requires a password manager, which we'll get to.
Generate One Right Now
The free Password Generator at sadiqbd.com/developer/password-generator creates cryptographically random passwords instantly — you set the length, choose which character types to include (uppercase, lowercase, numbers, symbols), and it generates a genuinely random password client-side in your browser. Nothing gets sent to a server. Nothing gets logged.
Try generating a few 20-character passwords and notice something: they look completely different from anything you'd ever come up with yourself. No recognizable words, no patterns, no structure your brain would naturally produce. That's exactly the point. That randomness is what makes them secure.
The Character Set Question
People agonize over which characters to include and the answer is: as many as the site allows, within reason.
Uppercase + lowercase + numbers gives you a character set of 62. Add symbols and you're at 94+. Every character you add multiplies the total possible combinations. For a 16-character password, the difference between a 62-character set and a 94-character set is massive — billions of times more combinations.
The practical caveat: some sites have terrible password policies that limit length (anything under 16 characters is a red flag in 2026) or ban certain symbols (another red flag — it often means they're storing passwords in a way that makes certain characters problematic, which suggests their password handling is suspect). Work with what the site allows, but if a site caps you at 8 characters or bans symbols, that's worth noting as a signal about their security practices.
You Need a Password Manager. Full Stop.
Here's the part people always push back on: "I can't remember random unique passwords for every site."
Correct. You're not supposed to. That's what a password manager is for.
A password manager stores all your passwords encrypted behind one master password. You remember one strong passphrase — something long and memorable, like correct-horse-battery-staple style — and the manager handles everything else. It generates passwords, stores them, and autofills them. You never have to type MyDog2019! again.
Good options that are widely used: Bitwarden (open source, free tier is genuinely good), 1Password (excellent UX, paid), KeePassXC (fully local, nothing in the cloud). Each has tradeoffs but all of them are dramatically better than the alternative.
The common objection is "what if the password manager gets breached?" It's a fair concern. The answer: reputable password managers store an encrypted vault, not plain-text passwords. Even if their servers get breached, what attackers get is your encrypted vault, which is useless without your master password. Bitwarden has had a security audit. 1Password has had security audits. Compare this to your current strategy, where a breach of one site potentially exposes variations of your password across dozens of others.
Two-Factor Authentication Changes the Math
Even a weak password becomes dramatically harder to exploit if you have 2FA enabled. Even a strong password benefits from 2FA as a backup.
The hierarchy, roughly:
- Unique strong password + 2FA (authenticator app, not SMS) — excellent
- Unique strong password, no 2FA — good
- Reused password + 2FA — mediocre (credential stuffing still works until 2FA catches it)
- Reused password, no 2FA — what most people are actually doing, what attackers rely on
SMS 2FA is better than nothing but has real weaknesses — SIM swapping attacks can intercept SMS codes. An authenticator app (Google Authenticator, Authy, or built into your password manager) is meaningfully more secure than SMS.
For Developers Specifically
If you're building something, a few things that matter here:
Never roll your own password hashing. Use bcrypt, Argon2, or scrypt. Not SHA-256, not MD5, not any fast hashing algorithm — those are designed to be fast, which is exactly wrong for password hashing. You want slow. The sadiqbd toolkit has a Bcrypt Generator if you need to test hash outputs.
Enforce reasonable password policies without being annoying. Minimum 12 characters, allow all printable ASCII, don't force regular rotation (forced rotation leads to weaker passwords, not stronger ones — NIST updated their guidelines on this years ago). Don't cap length at 20 or 32 characters — there's no technical reason to do this and it penalizes password managers.
Check against known breached passwords. The HaveIBeenPwned API (haveibeenpwned.com/API) lets you check if a password appears in known breach data without sending the actual password. It uses a k-anonymity model — you send the first 5 characters of the password's SHA-1 hash, get back a list of matching hashes, and check locally. Integrating this into your signup flow costs maybe an hour of work and meaningfully improves your users' security posture.
The Bottom Line
Password security isn't complicated in theory. Long, random, unique passwords managed by a password manager, with 2FA on everything that supports it. That's the whole strategy.
The gap between knowing this and actually doing it is mostly inertia. The password manager setup takes an afternoon. Migrating your existing passwords happens gradually as you visit sites. Within a month you're essentially fully migrated without it feeling like a big project.
Start by generating a few passwords at sadiqbd.com/developer/password-generator to see what genuinely random looks like. Then pick a password manager and set it up this week. Future you — especially future you dealing with a compromised account at the worst possible time — will appreciate it.
Top comments (0)