Password managers are the right answer for almost everything. They eliminate reuse, generate high-entropy secrets, and remove the human bottleneck. For 95% of accounts, install Bitwarden or 1Password and move on.
But there is a small, specific set of accounts where a password manager is the wrong answer. Knowing which ones — and how to handle them — is worth ten minutes of attention.
The accounts that don't belong in a manager
Three categories, roughly:
- The master password of the manager itself. Obviously. This one lives in your head.
- Your primary email recovery account. If you lose access to the manager and the recovery account is also in the manager, you have created a circular dependency that locks you out of your own life.
- Disk encryption keys, root passwords, and emergency-access codes for shared systems. Anything you might need to type when your laptop won't boot, or read aloud to a colleague during an incident.
For these, you need passwords that are strong, memorable, and typeable. That's a different problem from generic account passwords.
What "strong" actually means
A password is strong because of entropy — the number of equally-likely possibilities an attacker has to try. Length contributes far more entropy than character variety, and a passphrase made of random common words can hit 70+ bits of entropy while still being typeable.
A 12-character random string like K7#m$pQ2!nXz has roughly 79 bits of entropy. A four-word passphrase like correct-horse-battery-staple has roughly 44 bits. To match the random string you need 6-7 random words.
The two-list rule
For the handful of accounts that don't belong in a manager:
- List A: passphrases for things you must type frequently or under stress (login, disk unlock). 6+ random words, hyphenated, lowercase.
- List B: high-entropy strings for things stored in a sealed envelope in a safe, never typed (root password, recovery codes). 24+ random characters.
For List A you can generate offline with shuf or a wordlist. For List B you want a generator that runs in your browser so the secret never crosses the network.
The Skojio password generator runs entirely client-side — no analytics, no server round trip — and supports both modes: configurable random strings and word-based passphrases. Use it once for each account on either list, write the result down on paper, store it appropriately.
What "appropriately" means
For List A passphrases: nothing. Memorise them. If you can't, the passphrase is too long; pick a shorter one.
For List B strings: a paper backup in a physically secure location. A safe deposit box, a fire-safe at home, a sealed envelope with a trusted person. Two copies in different locations is better than one.
If the password ever needs to be typed by a human in an emergency, it belongs on List A. If it can be copy-pasted from paper, List B is fine.
What about MFA?
MFA does not replace a strong password — it complements it. Every account that supports MFA should have it enabled, regardless of which list its password lives on. The categories above are about the password; the second factor is a separate layer.
Recap
| Account type | Where the password lives |
|---|---|
| Generic web account | Password manager, randomly generated |
| Password manager itself | In your head |
| Email recovery account | In your head + paper backup |
| Disk encryption, root, emergency | Paper backup, never in the manager |
The manager handles the 95% case beautifully. The 5% needs a different tool and a different storage strategy, and confusing the two is how people end up locked out of their own accounts.
Top comments (0)