Y'all need a password manager

By Hutch 12 min read

I'll bet $1 that you've got a favorite password. I'll bet it's some variation of the same word you've been using since you got your first AOL disk in the mail and signed up with your 56k baud modem (don't worry about it, kids. Let us Olds do our thing). I'll bet it's got a capital letter on the front, a number on the back, and an exclamation point doing the heavy lifting of "special character." And I'll be you use it for errrrrything — your bank, your email, your Shopify admin, and the loyalty account for the sandwich place near the office.

I'm not judging. Ok, I'm judging a little. But mostly I want to fix it, because the way most people (and, terrifyingly, most businesses) handle passwords in 2026 is held together with hope and muscle memory. So let's talk about why that's a problem, why the fix is easier than you think, and how we at Swiftkick use a password manager to keep our clients' logins locked down without making everyone's life miserable.

And I know some of the below is gonna sound like a sponsored ad for 1password or its ilk, but we haven't received a penny from them. (Though, 1password folks, if you're reading this... 'sup, girl?)

The actual problem isn't weak passwords. It's reused  passwords.

Everybody worries about the wrong thing. They picture a hacker in a hoodie personally typing guesses at their login screen. That's not what happens. What happens is boring and industrial: some website you signed up for nine years ago (and then forgot about 8 years and 11 months ago) gets breached, a few hundred million email-and-password combos end up in a giant text file, and bots go try those combos on every other site on the internet. It's called credential stuffing, and it works spectacularly well for exactly one reason: people reuse passwords.

So the sandwich shop with the garbage security team? When they get popped, the attacker doesn't care about that free sammich you're just two orders away from. They care that the same email and password also unlock your business email. And once they're in your email, they own the "forgot password" reset link for literally everything else you've got. Your inbox is everything. One reused password turns one dumb little breach into your whole life.

The fix is stupidly simple to describe and impossible to do by hand: every account gets its own password, and every password is long and random. You cannot remember 200 unique 20-character strings. Nobody can. That's not a character flaw, that's just not what human brains are for. Which is the entire reason password managers exist.

Let's talk entropy (and the greatest webcomic ever about it)

"Entropy" is just a nerdy way of measuring how hard a password is to guess. More entropy, more possible combinations, longer to crack. And here's the part that breaks people's brains: length beats complexity. Every goddam time.

You've been trained for twenty years to make passwords "strong" by adding symbols and swapping letters for numbers ("1337-speak" to the real ones); P@55w0rd! and its ilk. The problem is those rules make passwords hard for humans and easy for computers, because the machine doesn't care that you swapped an A for a 4. It knows that trick too. Everybody knows that trick. Your mom knows that trick. She told me all about it last night. (We are a professional company of professionals). 

But Randall Munroe explained this better in one comic than I'm going to manage in this whole post, so here it is:

Comic: "Password Strength" by Randall Munroe — xkcd #936. Licensed under CC BY-NC 2.5.

The gist: Tr0ub4dor&3 gives you about 28 bits of entropy — roughly three days for a computer to guess — and it's a nightmare to remember. Meanwhile correct horse battery staple, four random common words, is around 44 bits, which is on the order of 550 years to guess, and you memorized it the instant you read it. Longer and dumber beats shorter and "clever." Because Math. And Math doesn't care about your exclamation point.

Now, here's the honest catch. The passphrase trick is fantastic for the handful of passwords you actually have to type from memory, like the master password to your, y'know, password manager. But for the other 199 accounts? You don't want to remember them at all. You want them to be a soulless 30-character wall of random garbage that you never see, never type, and never think about. Which brings us to the tool.

What we actually do at Swiftkick (it's 1Password)

So, we use 1Password. There are many like it, but this one is ours. Use whatever is most convenient for you.

We don't just use it to store our own logins. We use it as core infrastructure for handling client credentials. Because agencies like ours deal with a genuinely complex problem: we're constantly being handed the keys to other people's stuff. Hosting logins, domain registrars, CMS admins, ad accounts, analytics, payment processors. If we managed that in a spreadsheet (or, god help us, a Slack thread), we'd be one screenshot away from a catastrophe. Here's how we keep it sane.

1. Per-user access, segmented by vault

In 1Password, a "vault" is just a container for a set of logins, and you control exactly who can see each one. So we don't dump everything into one giant pile that the whole company can rummage through. Each client — or each project — gets its own vault, and only the people actually working on that account get access to it.

That means the developer on your project can reach your staging server, and the person who isn't on your project simply can't see it exists. When someone rolls off an engagement, we pull their vault access and the credentials are gone from their world instantly. It's the principle of least privilege, which is a fancy security term for "only the people who need the keys get the keys." Turns out that's a lot easier to enforce when it's a checkbox instead of a promise.

2. A secure way for you to hand us your logins — even if you don't use 1Password

This is the one clients don't expect. The single most dangerous moment in any engagement is onboarding, when you need to get us your credentials and the temptation is to just email them, text them, or read them out on a call while someone writes them on a sticky note. Please don't. Email and text are plaintext forever and get breached constantly.

1Password lets us fix this even if you've never touched the app. We can send you a secure item share — an encrypted link, set to expire and optionally locked to your email, that hands over exactly one credential and nothing else. Or, for a longer relationship, we can spin up a shared or guest vault and invite you in, so you drop your logins somewhere encrypted and we pick them up on our end — no plaintext, no "did you get that password I texted?", no residue sitting in an inbox for the next five years. You get a secure channel without having to buy, learn, or manage anything.

3. Killing the "go check your email for a code" nonsense with built-in one-time codes

Two-factor authentication is great. The implementation of two-factor authentication is absolutely infuriating. I become an incandescent ball of rage every time I need to:

  1. Alt-tab or swipe over to your email or text and wait for a code that shows in anywhere from four seconds to four minutes.
  2. Copy it (or just remember it like a cave person).
  3. Tab/swipe back.
  4. Paste it before it expires.
  5. And then optionally delete the email now clogging your inbox (unless you're one of those 1,738-unread-email psychopaths. You know who you are). 

Do that eleven times a day across a dozen client accounts and you will lose your entire mind. The whole thing. Gone.

The better version of 2FA is a one-time code (TOTP) — those six digits that silently regenerate every 30 seconds. It's the same mechanism as those little RSA keyfobs your bank's IT department used to hand out, just software now. And 1Password can store the code generator right next to the login and autofill both at once. You click the field, it drops in your username, your password, and the current rotating code, and you're in. No email round-trip. No SMS that may or may not arrive. No mind lost.

It's more secure and less annoying, which almost never happens at the same time, so just, like, take the win.

Good for families and couples, too!

Tired of your kids needing the Netflix password? Do you and your partner or spouse have trouble remembering one another's logins for various shared accounts? Use a password manager! Ideally one with vaults, as mentioned above.

My wife and I need access to our bank accounts and credit cards. Our kids do not. But they do need the Hoopla library login every other goddam night. 1password to the rescue! Disney+ get logged out of your TV streaming box? BOOM. Password managered. Kid left their school iPad at home and they need you to log in to it and get an email? SORTED. 

Even if you're a family who prefers to keep separate accounts, there's always what we call the hit-by-a-bus scenario. Morbid, I know, but we make wills for a living. Think of a shared password manager as a digital will. Or don't share it and just put the master password in the aforementioned will. Or would you rather your bereaved have to deal with calling companies and emailing legal documents to every credit card, bank, and subscription service hitting your card every month? You monster.

"But wait — isn't putting all  my passwords behind one login a terrible idea?"

It's the first thing everyone asks, and it's a fair instinct. Feels like putting every egg in one basket and then labeling the basket "EGGS." So let me take it head-on, because the answer is genuinely reassuring once you see it.

First, the part nobody wants to hear: you already have a single point of failure, and it's your email inbox. Every "forgot password" link on earth lands there. If someone owns your email, they own everything downstream right now — today, no password manager required. So "one thing unlocks everything" isn't a risk the password manager introduces. It's a risk you already live with, except your inbox isn't built like a vault. A password manager is.

Second, the thing guarding that one login is doing a lot more work than a normal password:

  • The vault is encrypted, and the company can't read it. 1Password and similar password managers use zero-knowledge, end-to-end encryption. Your master password never leaves your device, and it's combined with a separate Secret Key to decrypt your data. If 1Password's own servers got breached tomorrow, the attacker walks off with a pile of encrypted gibberish. There is nothing on their end to steal that unlocks your stuff.
  • You put 2FA on the manager itself. Same one-time-code trick from earlier, now standing at the front door. Even if someone somehow got your master password, they still don't get in.
  • The one password you do have to remember can finally be a good one. Remember the correct-horse-battery-staple bit? This is where it cashes out. You've traded 200 weak, reused passwords for a single long passphrase you can actually memorize, sitting on top of a hardened, encrypted, 2FA'd vault. And you can really go nuts here. Make it a favorite quote or song lyric. Hell, put it in 1337-speak if you want. The more entropy the better.

So yeah — it's one basket. But it's a titanium basket with a combination lock and a camera on it, versus your current setup where the eggs are scattered around the neighborhood like a bad easter egg hunt. Concentrating the risk into one thing you can actually defend well beats spreading it across a hundred things you can't. That's the whole trade, and it's a good one.

So, uh, go do this

Here's the whole thing in one breath: stop reusing passwords, let a manager generate long random ones you never have to remember, keep a strong passphrase for the one master password you do, and turn on real 2FA. That's it. That's the post. You'll close the door on the single most common way small businesses get owned, and it'll take you an afternoon.

If you're a business — especially one juggling logins across a team, or handing sensitive credentials back and forth with vendors like, well, us, this stops being a nice-to-have and starts being the difference between "we had an incident" and "we did not have an incident, actually. You're welcome." We set this kind of thing up for clients all the time (not everything we do is dev/design. We're also very good at just giving advice. "Consulting," I think, they call it), and we're happy to help you get your own house in order too.

So give us a shout if you think you might need a hand. We promise not to judge your old AOL password. Much.

Illustration sourced from Storyset