Strong passwords without a password manager — when it makes sense

Password managers are the right answer for almost everything. They eliminate reuse, generate high-entropy secrets, and remove the human bottleneck. For 95% of accounts, install Bitwarden or 1Password and move on.

But there is a small, specific set of accounts where a password manager is the wrong answer. Knowing which ones — and how to handle them — is worth ten minutes of attention.

The accounts that don't belong in a manager

Three categories, roughly:

1. The master password of the manager itself. Obviously. This one lives in your head.
2. Your primary email recovery account. If you lose access to the manager and the recovery account is also in the manager, you have created a circular dependency that locks you out of your own life.
3. Disk encryption keys, root passwords, and emergency-access codes for shared systems. Anything you might need to type when your laptop won't boot, or read aloud to a colleague during an incident.

For these, you need passwords that are strong, memorable, and typeable. That's a different problem from generic account passwords.

What "strong" actually means

A password is strong because of entropy — the number of equally-likely possibilities an attacker has to try. Length contributes far more entropy than character variety, and a passphrase made of random common words can hit 70+ bits of entropy while still being typeable.

A 12-character random string like K7#m$pQ2!nXz has roughly 79 bits of entropy. A four-word passphrase like correct-horse-battery-staple has roughly 44 bits. To match the random string you need 6-7 random words.

The two-list rule

For the handful of accounts that don't belong in a manager:

• List A: passphrases for things you must type frequently or under stress (login, disk unlock). 6+ random words, hyphenated, lowercase.
• List B: high-entropy strings for things stored in a sealed envelope in a safe, never typed (root password, recovery codes). 24+ random characters.

For List A you can generate offline with shuf or a wordlist. For List B you want a generator that runs in your browser so the secret never crosses the network.

The Skojio password generator runs entirely client-side — no analytics, no server round trip — and supports both modes: configurable random strings and word-based passphrases. Use it once for each account on either list, write the result down on paper, store it appropriately.

What "appropriately" means

For List A passphrases: nothing. Memorise them. If you can't, the passphrase is too long; pick a shorter one.

For List B strings: a paper backup in a physically secure location. A safe deposit box, a fire-safe at home, a sealed envelope with a trusted person. Two copies in different locations is better than one.

If the password ever needs to be typed by a human in an emergency, it belongs on List A. If it can be copy-pasted from paper, List B is fine.

What about MFA?

MFA does not replace a strong password — it complements it. Every account that supports MFA should have it enabled, regardless of which list its password lives on. The categories above are about the password; the second factor is a separate layer.

Recap

The manager handles the 95% case beautifully. The 5% needs a different tool and a different storage strategy, and confusing the two is how people end up locked out of their own accounts.