How secure does a password really need to be?
Let's be honest: your invoicing data is probably not what keeps an intelligence agency up at night. Still, it deserves a good password. The question is: how good does "good" need to be?
The real problem
Nobody sits down and tries to crack your specific company file. That's not how attacks work. What actually happens: millions of stolen passwords from data breaches are automatically thrown at anything that has a login.
If your password is "Summer24" and you also use it for your email account, you have a problem — not because of your invoices, but because of everything else that hangs on the same password.
Why "complex" doesn't help
"At least one uppercase letter, a number, a special character" — that sounds secure, but it leads to passwords like Summer24!. Technically it meets the rules. It's still not secure.
The problem isn't a lack of complexity. The problem is predictability. Humans are bad at coming up with random things — and that's exactly what attackers exploit.
The four-word approach
The idea is compelling: take four random words. "Cloud Fork Attic Penguin". Easy to remember, hard to crack — over 2 quadrillion combinations, practically unbreakable with PBKDF2.
For a single password, this is perfect. But how many logins do you have? Email, cloud storage, banking, accounting, ten online shops, three streaming services… Can you remember four different random words for each one?
Where the method breaks down
Right here. At the second, third, twentieth login. You can remember "Cloud Fork Attic Penguin". But was that the password for the bank or for the cloud storage? And which four words was it for the email account?
In practice, what always happens then happens: you use the same password everywhere. Or a variation of it. "CloudFork1" for the bank, "CloudFork2" for the cloud. Attackers know this pattern.
One password to replace them all
A password manager generates a unique, random password for every login — 20 characters, pure randomness, impossible to guess. You don't need to remember any of them.
You only need to remember one: the master password for the manager itself. And that's exactly where the four random words work perfectly. A single strong password that protects access to all the others.
Which manager?
Apple's "Passwords" app is already on your Mac and syncs via iCloud. 1Password and Bitwarden are alternatives with more features. Which one you choose matters less than the fact that you use one.
What matters is this: let the manager generate the passwords. Don't type "Summer24" into the manager — use the random generator that creates 20-character strings no human could guess.
And in GrandTotal?
When you encrypt your company file, AES-256 encryption protects your data. The key is derived from your password. A random password generated by a password manager makes this encryption practically unbreakable.
Save the password in the macOS "Passwords" app — then you won't have to enter it every time you open the file, and it's still stored securely.
It's not about your invoices
Do your invoicing records need to be uncrackable? Probably not. But a password is a habit, not a one-off. Anyone who uses "Summer24" for their company file uses it for their email account and online banking too.
A password manager plus a strong master password costs you ten minutes of setup. The habit you build in the process protects not just your invoices — but everything else as well.
In a nutshell
One password per service
The most important rule of all
Use a password manager
Generates and stores a password for every login
Four random words
As your master password — not for every service
Length beats complexity
"Cloud Fork Attic" > "P@ssw0rd!"
Try it out