Has to be 16 characters, #s, Cap and lower case.

Who TF isn’t using a password manager in 2025? Like how would you even function?

EDIT: Y’all need to stop replying with your password generation strategies. JFC it’s like you’re asking someone to pwn your shit.

My employer, a fortune 500, blocks password managers and all other add-ons.
- When will he be hacked.... Let's place bets everyone!
- My employer, a 12 people big company, nowhere near any fortune list, mandates the use of 1password for all company related accounts.
I use modified “HorseBatteryStaple” style passwords. I have a couple base phrases that I always remember, with special characters and numbers inserted. I modify them bit by bit for different sites, and keep a list of the changes - only the changes. Anyone who looks at the list would see random words, numbers, or symbols without context; only I know how it all fits together.
For example, let’s pretend HorseBatteryStaple1! Is my default password. I may have “cell phone, machine 5” on the list. That would mean the password for my cell phone’s payment website modifies the default password by changing one of the words in HorseBatteryStaple to “machine” and the number 1 to 5.
I know password managers exist, but I like to try to remember my own passwords. Especially since I may need them across different devices, including my work laptop that I can’t download new programs onto.
- Caution, reusing parts of your passwords like that significantly reduces the effective entropy.
  If someone fin HorseBatteryStaple1! in a plaintext leak, then they only need to guess one word and one number to get you phone password (assuming they know your format or use a matching heuristic).
- So using a combination of this comment and an existing leaked DB (trust me, your credentials have leaked somewhere at some point), all your accounts could be trivially cracked.
Federal and State jobs you can’t use password managers.
- My federal job came with one pre-installed.
- Yeah idk about that. I've worked in state govt for a very long time and our cybersecurity controls essentially mandates we use one. I'm also in our security audit team and have to talk to state offices about our NIST controls regularly. And the NIST DOD controls are even more stringent than ours. Something sounds off.
- I literally work for a state government and I use password managers for both work and personal.
  EDIT: For clarity, the data is hosted on-prem. I don’t send govt credentials to the cloud like a moron.
- Okay so remember the one or two ones you need there (try a passphrase!)
  For everything else - password manager.
Because they seem to fall into two categories. Those that have been compromised
And those who haven't.... Yet
I basically use a childhood limerick in leetspeak. Easy to remember, tough to Crack. Like for example, Peter Piper pickedna peck of pickled peppers becomes "P3t3rP1p3rP1ck3d4P3ck0fP1ckl3dP3pp3rz!" Of course I never used that particular one, but you get the idea.
- So you have the same password for everything? Which would mean a single password leak would compromise all of your accounts?
- Brah
I function by only having 2 accounts I actually care about. Bank and e-mail. The rest get the same password over and over because I legitimately don't care about them and never give them real personal data.
- A password manager would be the same amount of effort, but way more secure.
Those are hackable too through
I have passwords I don't care about, passwords I keep on the manager, and then important ones I enter manually every time
- Don't ever use lastpass and the likes, when good open source ones exist.

Get a password manager. It's a lot more secure and easier to only have to remember one strong main password and have the rest randomly generated

^ I love Bitwarden
- I enjoy self hosting it
  (Rather vaultwarden)
KeePassXC, donor, and I sync it with my (self-hosted) SyncThing server.
FWIW, LastPass is bullshit. DYOR, and stay safe, citizens!
Also, it could be taken as a positive that BitWarden is the example Wikipedia uses to define password strength. 🤌🏼
Randomly generate your master password too. It takes a bit to memorize, but becomes muscle memory pretty quickly. And since random passwords have the highest possible entropy per character you can use a shortish one, which allows for fast typing while still being impossible to brute force (I use 16 chars).
- There's a xkcd for that of course! Linking directly to the explain as it has more info but the important thing is: password guidelines tricked humans into thinking in a machine way about safe passwords but long pass phrases are more secure from an entropy point of view and way easier to remember!
  https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
- Once you forget it, you lose everything
- Both Bitwarden and 1Password can also generate passphrases with high entropy that are much easier to memorize and enter. I use that for my master password.

Finally can't take it anymore

Downloads a Password Manager

Password Manager: "Please create a unique master password to begin"

That's one password, and then use 2FA or a passkey or a yubinkey or anything to secure it so the security of the password isn't a big deal
Then go to every single thing you have a password for, and have the password manager set it to something random. I personally like pass phrases get it up in the teens of characters multiple words multiple numbers multiple special characters. 99.9% of the time you shouldn't be typing any of this in. It should be injected for you. If per chance you should need to type one of them in typing in four or five words some numbers and some special characters is not really a horrible grievance.

Generate unique passwords using this tool, slightly modifying them to meet the requirements (special character, etc).

Store the passwords using KeePass; it is awesome, secure, and free. I've used it for nearly 20 years. Never once had a problem.

Bonus points if you use a comma for a special character, because I hear commas are a small inconvenience for hackers scraping usernames, passwords en masse. Fuck those guys.

Many (most?) password managers, including KeePass, have a feature to generate passwords directly in the tool.
- I understand, but I absolutely do not endorse. For the same reason as the XKCD comic correct horse battery staple is based on. It's bullshit, it's hard to remember (sometimes even hard to read or type in).
  I just generated one & I tried to post a screenshot, but my Lemmy app isn't cooperating...KeePass gives lots of options, very nice. The password randomly generated was "3vrCNHTTxFuMyhah". Like...what the hell is that?? What??
  Don't get me wrong, I set up probably 30+ of those stupid things in my wayward youth. But if for some reason you have to type them in manually via Xbox controller, TV app, or otherwise....you're going to be cussing yourself out like MAN this is SO STUPID, and it's exponentially dumber because it's something I did to myself. It's not more secure. Make it easier, and also ironically more secure, doing it the right way.

i just use hunter2 for everything

Why would your password be *******? That seems terribly insecure.
- nobody else can see it when I type it.
God, the tears rolling down my face laughing the first time I read that.
I use 12345
I miss bash.org
Edit: https://bash-org-archive.com/

For everybody commenting on passwords manager, I've been using one for years now and I feel this so bad. My company has a password policy of changing the LAPTOP's password every 8 weeks and you can't reuse any of the last 10 passwords used. I hate it because I can't use a password manager to unlock my laptop and I'm so used to password managers by now that it's getting really hard to come up with new passwords that follow the stupid requirements and even worse remembering them. I'm veeeery close to just start noting them down in a notebook by my machine and then send a picture to our security guy to show him where he has gotten us all to

I save it my password manager and can pull it on other devices. Still annoying, but not the worst. Honestly the worst is passwords with a character limit, and even worse when it's "small" like 16
You should do that unironically. The current best practices advises against frequent password changes for exactly that reason.
Write a script that sets the password to 10 different passwords, then back to your original password.
I do agree that's a particular case that can't be solved by a password manager. But it's all the more reason to use one elsewhere to reduce how many you need to remember.
I have to remember only 3 secure passwords. My personal computer, my work account, and my password manager. Those are the only three I have to type in manually. And because they're secure and unique, for stupid work password change requirements I just increment the last character.
My company has a password policy of changing the LAPTOP's password every 8 weeks and you can't reuse any of the last 10 passwords used.
There are more than 10 symbols, so just rotate through them. If your org doesn't respect you enough to have reasonable password rotations, I wouldn't bother spending much time coming up with new ones and just modify your current to pass the minimums.
Some$$Word12
Some&&Word11
Some--Word10
Etc

Quick question friends:

If I'm already using bitwarden and decide to switch to self-hosting it; can I import my usernames and such?

I would most likely change all the passwords, but being able to migrate the websites (with corresponding username) would be kinda nice

Yes you can. https://bitwarden.com/help/migration/#tab-cloud-to-self-hosted-52Q80N79LCU2kkRJpuPKMy
You should be able to export and import all your logins as a file. I did this when i moved from lastpass to bitwarden a while back

Has to be 16 characters

So long as I can use more than that, I won't complain. I don't remember the service, but I definitely remember one where they wouldn't allow over a certain amount of characters and that was annoying because that was when I was still using repeat passwords back in highschool. My preferred password at the time was roughly 20 characters, but apparently that was too much because who cares about security, am I right?

It's even worse when they have a limit and don't enforce it consistently. I had to submit a bug report to my bank because I made a 24 character password at account creation but the login page only allowed 16 characters.
It used to be a thing more often, but for a long time even when youre logging in via a website, there were (and probably still are) legacy backend systems that have limits on the password length.

!!! PASSWORD TOO WEAK !!! - your password must contains upper and lowercase characters, digits and symbols except not a hyphen for some fucking reason,, and no characters you've ever used in past passwords and no digits that are in your postal code, data of birth, or shoe size. Zalgo text is acceptable.

https://neal.fun/password-game/
- What is the best move?

What painting is that?

Bertha Wegmann - Portrait of a Young Woman in Thought
- Thank you!

If you don’t want to use a password manager it’s not that hard to create long passwords. Just create a nonsense sentence with a misspelling with a character between each word and add some obscure personal info that isn’t directly linked to you, like a phone number of an old childhood friend or pizza place you used to call often when you were young so it’s easy to remember but not info another person can find about you. Then add a special character.

Like:

Wideo1Pasta1Is1The1Grawy1555-22334!!!

I like pass phrases... if you can't think of anything, grab a random book, open to a random page, and find a memorable phrase that catches your eye. Change some letters to numbers and/or add symbols if you think you need to.

BatmanSupermanSpidermanCaptainAmerica@2025

Just 4 characters are enough. And it includes Cap.

I just checked my password manager vault and I currently have 311 passwords stored there.

594 for me
- I have nearly 800. I think I need to do some cleaning.
I have 401 entries, but only 384 unique passwords.
Hmm. Most of these are junk from job applications that I really should put in a trash category. I'm so glad all those places don't share a password with something important. I think.

TheDoctor&CaptainJack

16 characters and a cap

Huh, I only see ****************

Just add one to the number each time.

I'm on "[passwordiveusedforyears]22!" at work.

For otherwebsites I'm on things like "[passwordIveusedforyears][websitename]!"

Proper 2FA is secure enough for most people to keep using the same password so long as it hasn't been compromised. And a few things, like work passwords, email passwords, and bank passwords should be unique to thaspecific account.

Really, the biggest security hole is requiring logins for fucking everything. That's why there's a million password leaks. Why does a news website need me to sign in? Why do I need an account and password to order a pizza that I'm gonna pay for in-person?

I do like using a good passphrase that includes the website name
Eventually, I'd like to switch to all generated through bitwarden or keypass, but I'd prefer to self-host when going that route

And in six weeks... It's time to change your password! No repeats.

Buttliquor007!

Done.

Haha! Now I have access to your blockbuster account! You Fool!
Why do you owe $322 in late fees for the movie Waterworld with Kevin Costner?
- Why not??
- I...admitted I had a Costner addiction in the mid 90s...but these "Block Busters" kept me locked up for years! Is it all water out there?!

Just use KeepAssXC.

AssKeep

I can remember like 5 passwords. My computer password, my work computer password, my trash everything password and my password vault password. I know that's only 4, but I still remember my last vault password, so that one counts twice

Everything else is some random shit that I bitch about entering manually when pasting doesn't work.

Use a password manager. Problem solved.
- and my password vault password
  Use a password manager
  Lol

That's why I let Firefox make the passwords for me. It's nice because they sync with my phone, so I don't have to run to my PC to look up a password.

Only 16 characters?

I was on the internet early enough that I had a four character, all lower case password to my emails and it never complained once.

What? No punctuation marks? Special characters like !@#$%^&*()_+?

I got a "we've had customers accounts breached, please update your password" email the other day.
They specifically called out you can't use # in your password, and it's been bugging me why that is. What part if their system let's in other special characters but # is off limits?
- Now that I’m thinking about this it’s bugging me too. If they are passing it to shell scripts maybe it’s interpreted as a comment? Some databases like Oracle use # to separate schema prefix from schema user and table name in a query? But none of those would really make sense here 🤷
  EDIT they are storing it in plain text, with other values using # as a delimiter? lol

Captain Carter always has a password

Indeed

Here's what you do: Generate long random string, for example: P5edM5Ce0SGE0rOr9k&#T*wG@d$og^{qyBTk2@%dmO@2akbm!b}5^{p!bH8w7Ei7gPSIR}1Er&hab3ae@0odk3h76Ka48kYtXrsburM$7rf^vPRwXz1s5guO&$PZz3@w

Memorize it.

For each site just choose a number and select 16 characters starting at this number.

Remember which page uses what number. E.g. google = 32 -> &#T*wG@d$og^qyBTk2

Done. You don't have to remember any more passwords for the rest of your life.

Folks will rather memorize 100 random ASCII chars than use a password manager
Here's what you do
USE A FUCKING PASSWORD MANAGER
- ^can ^you ^say ^that ^a ^bit ^quieter ^please, ^we're ^at ^a ^wedding
Hmm... if a bunch of matchsticks fall on the floor, do you immediately know how many there are? If you do, I may have some news for you 🤣
- Only if it's less than 5.
i'm sorry memorise that? i'd rather get hacked
- Security is not easy.

It's not so bad once you develop a system.

And as a bonus, when a few of them leak, hackers will have a little puzzle to solve. Hackers love puzzles.

We upped our passwords to sixteen chars last fall. Also, it’s UPPER lower digit and special-char. And we only require changing every twelve months when it used to be much more.

Kiester password manager?

Ah yeah ok I got you covered

RasputiaSalmon87876@

There you go, real easy.

I just started merging 3 common passwords I use through my life in chronological order. It's a 32 letter behemoth with lowercase, uppercase, numbers, and symbols. All in random patterns.

The middle password is one that I started using 2 years ago when I wanted a new password for my new OS installation called FreeBSD at the time. It had numbers and symbols but also "Frbsd" to stand for that name.

Now when I am signing up to a new service I change that portion in the middle of the 32 letter password so "...Frbsd..." becomes "...Gthb..." or "...Dscrd..." etc.

This way even if someone finds my password for gml it won't work for others either.

USE A FUCKING PASSWORD MANAGER