Geslar
Password Security Guide
Why strong passwords matter, how to create them and how to remember them effortlessly
Last updated:
Did you know?
< 1 sec
That's how long it takes to crack the password "123456" with a modern computer
1.1 billion
Compromised passwords in the HaveIBeenPwned database
81%
Of breached accounts use a weak or stolen password (Verizon DBIR)
51%
Of users reuse the same password across multiple sites
2 hours
Average time to crack an 8-character password without special characters
thousands of yrs
How long it would take to crack a good passphrase like "sky-river-mountain-sun"
What can happen with a compromised password
Password cracking is usually not a targeted attack on you personally — attackers use automated tools that try millions of combinations per second on stolen databases. If you use a weak or reused password, it's only a matter of time.
Financial theft
Access to bank or PayPal accounts, unauthorized purchases, money transfers. Recovery can take weeks with significant bureaucratic hassle.
Email takeover
Email is the key to everything — whoever has it can reset passwords for every other service. One compromised account can trigger a chain reaction.
Identity theft
Personal data is used to open credit lines, create fake profiles or for blackmail. Recovery from identity theft takes an average of 200 hours of work.
Ransomware
An attacker locks your files and demands ransom. A common entry point is weak or reused passwords for remote access.
Profile abuse
Sending spam to your contacts, posting fake content or requesting money in your name — all before you notice what's happening.
Business consequences
A breached business account can result in client data leaks, GDPR fines and loss of company reputation.
Passphrase or random password — which is better?
Short but complex passwords were long considered the gold standard. Modern research shows that long phrases of several familiar words are equally secure — and far easier to remember.
✗ Typical password
X8#mK2@p
- Hard to remember — the brain poorly retains random strings
- Easy to mistype — especially on mobile
- Users write it down or reuse it everywhere
- Dictionary variants ("P@ssw0rd") are instantly recognized by tools
✓ Word-based passphrase
nebo-rijeka-planina
- Easy to remember — the brain retains stories and images
- Easy to type even on a mobile keyboard
- Different every time, no need to reuse
- Not in attack dictionaries — the combination is unique
Recommended strength by account type
These recommendations are minimums — you can always go stronger. For passwords, use a mix of lowercase and uppercase letters, numbers and special characters. Passphrases are secure and memorable even without special characters.
Account type
Passphrase
Password
Master password
5+ words
20+ chars, all types
Email, cloud
4+ words
16+ chars
Banking, finance
4+ words
16+ chars
Work, VPN
4+ words
14+ chars
Social media
3+ words
12+ chars
Shopping, forums
3+ words
10+ chars
Geslar password levels: Basic (8–12 chars) · Good (13–16 chars) · Strong (17–20 chars) · Maximum (21–32 chars) — length is randomly selected within the range each time.
Why use a password manager
The average user has 100+ online accounts. It's impossible to remember a unique strong password for each one. A password manager solves this — you remember only one master password, it remembers everything else for you.
One master password
Remember just one long, strong password. The manager remembers all others for you — securely encrypted in your vault.
Unique for every site
Each account gets its own unique password. If one leaks, the rest are completely safe — no chain reaction.
Auto-fill
The manager recognizes the site and fills in the password automatically. Faster than memorizing, with no typing errors.
Breach alerts
Automatic checking whether your password has been found in known data breaches — instantly notifies you to change it.
Device sync
Your passwords available on computer, phone and tablet — everything synced and securely encrypted in the cloud.
Phishing protection
The manager only fills passwords on the correct domain. On a fake site it won't offer to fill in — excellent protection against phishing attacks.
Recommended password managers
G
Geslar free local
Croatian password manager with AES-256-GCM encryption and zero-knowledge architecture. Works completely locally — no registration, no cloud, no subscription. Built-in TOTP 2FA, auto-fill, Vault health and secure sharing — all free. The only PM with a Croatian passphrase generator.
BW
Bitwarden free open source
The most popular free open-source manager. Available on all platforms (Windows, macOS, Linux, iOS, Android) and all browsers. The free version covers all the needs of most users. Recommended for beginners and advanced users alike.
bitwarden.com
1P
1Password premium
Premium user experience with advanced features — team or family sharing, Travel Mode (hides sensitive vaults at borders), 2FA app integration. Paid subscription, but worth it for business users.
1password.com
KP
KeePassXC free offline
Everything is stored locally on your device — no cloud, no subscription, no internet. Ideal for users who don't want data on any server. Requires a bit more technical knowledge for setup and manual syncing.
keepassxc.org
PP
Proton Pass free
A new player from the team behind ProtonMail — emphasis on privacy and end-to-end encryption. Free version available on all platforms, a good alternative to Bitwarden for users already in the Proton ecosystem.
proton.me/pass
NP
NordPass premium
Manager from the team behind NordVPN with XChaCha20 encryption. Clean and simple interface, available on all platforms. Free version allows only one active session at a time — a subscription is needed for multiple devices.
nordpass.com
LP
LastPass premium
One of the best-known managers, but with a problematic security history. In December 2022 it suffered a serious breach in which attackers gained access to users' encrypted vaults. Users with weak master passwords were at risk of decryption. We recommend considering more secure alternatives.
lastpass.com
Our pick: We recommend Geslar for users who want a local, free password manager with no compromises. For users who need cloud sync from day one, Bitwarden is the best free alternative.
Two-factor authentication (2FA / MFA)
Even if someone learns your password, 2FA prevents them from logging in — without the second factor (your phone or device) access is impossible. Multi-factor authentication (MFA) combines two or more of the following factors:
Something you know
password, PIN
Something you have
phone, hardware key
Something you are
fingerprint, Face ID
Authenticator app
Google Authenticator, Authy or 2FAS generate one-time codes (TOTP) that expire in 30 seconds. The safest everyday option — cannot be intercepted like SMS.
SMS code
A code arrives by text message. Better than nothing, but vulnerable to SIM swapping attacks — someone can take over your number and receive the code. Use only if no other option is available.
Hardware key
YubiKey or similar USB/NFC device that you physically press to log in. The most reliable option — cannot be remotely compromised or phished. Recommended for high-risk accounts.
Biometrics
Fingerprint or Face ID as a second factor — practical and secure on modern devices. Biometric data stays locally on the device and is not sent to a server.
Backup codes
One-time codes for emergency access if you lose your phone or access to a 2FA app. Each is used only once — store them securely: print them or put them in a password manager.
Passkey (passwordless)
A new standard that replaces both password and 2FA — a cryptographic key stored on the device, unlocked with biometrics or PIN. Resistant to phishing. Supported on Google, Apple and Microsoft.
Which accounts must have 2FA enabled
- Email (Gmail, Outlook…) — the key to resetting everything else
- Banking and financial accounts — PayPal, crypto exchanges, online banking
- Password manager — protects all other passwords at once
- Business tools — Microsoft 365, Google Workspace, Slack, GitHub
- Social media — Facebook, Instagram, LinkedIn, Twitter/X
- Cloud storage — Google Drive, iCloud, Dropbox
Recommended security order: Authenticator app > Hardware key > Biometrics > SMS > No 2FA. Even SMS 2FA reduces the risk of a breach by over 99% compared to using a password alone.
Recommended 2FA apps
Our pick: Geslar Ključar — a mobile authenticator from the Geslar ecosystem. AES-256-GCM encryption, local without cloud, import from 7 authenticators. Free, no registration. Download Ključar →
GK
Geslar Ključar free offline
Mobile TOTP/HOTP authenticator with military-grade encryption (AES-256-GCM). Each key encrypted separately, biometric unlock, import from Google Authenticator, Aegis, 2FAS, Raivo, andOTP, FreeOTP+ and Geslar. Completely local — no cloud, no registration, no tracking. Android and iOS.
2F
2FAS free open source
The best cross-platform option — available on iOS and Android with optional cloud sync. Open source, no ads, no subscription. Supports backup to Google Drive or iCloud. Recommended as the first choice for most users.
2fas.com
AG
Aegis free open source offline
The best Android option — locally stored encrypted vault, no cloud, no tracking. Supports backup to your own device or storage. Ideal for users who don't want data on any server. Android only.
getaegis.app
AU
Authy free
Popular option with cloud sync and multi-device support (iOS, Android, desktop). Easy to use and switch to a new phone. Note: owned by Twilio which suffered a breach in 2022 — only phone numbers were exposed, not TOTP secrets.
authy.com
GA
Google Authenticator free
The most widespread app, recommended by default on most services. Simple and reliable. Since 2023 it supports Google account sync — previously it didn't, which often caused code loss when switching phones.
g.co/authenticator
MA
Microsoft Authenticator free
An excellent option for Microsoft ecosystem users (Microsoft 365, Azure, Xbox). Supports passwordless sign-in for Microsoft accounts and push notifications instead of codes. Available on iOS and Android.
microsoft.com/authenticator
Tip: Store 2FA backup codes separately from your phone — in a password manager or printed in a safe place. Losing your phone without backups can permanently lock you out of your accounts.
Secure password sharing
The Secure Send feature encrypts the password locally (AES-256-GCM + PBKDF2) before it leaves your device. The server stores only the encrypted content — the decryption key exists only in the URL fragment that the server never sees (
#fragment). The recipient decrypts locally in their browser.
Expiration
The link automatically expires after 1–90 days. After expiration the encrypted payload is deleted from the server — the link becomes unusable.
One-time link
An option that deletes the link immediately upon first opening. The recipient sees a notice that the link has been deleted — no possibility of repeat access.
View limit
The server counts how many times the link has been opened. After reaching the limit (default: 3) the link is automatically deleted. Set during generation.
PIN protection
An optional 4–8 digit PIN as an extra layer of protection. PBKDF2 (200,000 iterations) — the PIN never leaves the device, the server never sees or stores it.
QR code
The link can also be shared as a QR code directly from the app. The QR is generated locally — nothing is sent anywhere.
Rate limiting
The server limits the number of requests per IP address (120/hour) to prevent automated abuse or brute-force attacks on the PIN.
What the link protects and what it doesn't
What is secure
- Content encrypted with AES-256-GCM — the server sees only an encrypted string
- The decryption key never leaves the URL fragment (#) — the server doesn't receive it
- The link expires automatically (1–90 days)
- One-time link or view limit — the server controls the number of accesses
- PIN as a second factor — PBKDF2, the server never sees it
- Decryption happens locally in the recipient's browser
Limitations
- Someone who intercepts the full URL (including #fragment) has full access — unless a PIN is set
- No notification of whether the link has already been opened
- The link cannot be revoked before expiration — you can only wait for it to expire or reach the view limit
- Security depends on who and how you share the URL with
Recommendation: For sensitive data, use a one-time link with an optional PIN. Use the shortest possible expiration time. As soon as the recipient confirms receipt, consider the password compromised and change it on that service.
How Geslar protects your data
Geslar uses a zero-knowledge architecture — your data is encrypted and decrypted exclusively on your device. Neither the server nor the development team ever sees your passwords in unencrypted form.
AES-256-GCM encryption
All sensitive data is encrypted with AES-256-GCM — the same standard used by military and financial institutions. Encryption is performed locally in your browser.
PBKDF2 key derivation
Your master password goes through PBKDF2 with 200,000 iterations before becoming an encryption key. This drastically hinders brute-force attacks even on weaker passwords.
Local processing
Password generation, strength checking and phrase analysis all happen completely locally. Your passwords never leave the device — nothing is sent to a server.
k-Anonymity breach checking
Checking via HaveIBeenPwned uses the k-Anonymity protocol — only the first 5 characters of the SHA-1 hash are sent. Your full password never leaves the device, not even in hashed form.
No tracking or analytics
Geslar does not use cookies, analytics tools or tracking scripts. No Google Analytics, Facebook Pixel or any kind of user data collection.
Self-hosted fonts and resources
All resources (fonts, scripts, styles) are served from our own domain. No calls to Google Fonts, third-party CDNs or external services that could track users.
Standards compliance
Geslar is designed with leading security standards and regulations in mind. Although Geslar is a personal-use application, we follow the same principles expected of professional security solutions.
GDPR
Full compliance with the General Data Protection Regulation. We do not collect personal data. No cookies, no tracking. All data is processed locally on the user's device. More in the privacy policy →
ISO 27001
Geslar's security measures are aligned with ISO 27001 Annex A controls: cryptographic key management (A.8.24), data-at-rest protection (A.8.5) and access management (A.8.9).
NIS2 Directive
In line with Article 21 of the NIS2 Directive we apply: data encryption, secure authentication, supply chain protection (no external dependencies for critical functions) and regular security reviews.
NIST guidelines
We follow NIST SP 800-63B recommendations: supporting long passphrases instead of forcing complexity, not requiring periodic password rotation and checking passwords against known breaches (HaveIBeenPwned).
Transparency: Geslar does not store user accounts, does not require registration and does not collect any data. The only external communication is anonymous password checking via the HaveIBeenPwned API using the k-Anonymity protocol.
Common myths about passwords
❌ "I'm safer because I use a lesser-known site"
Lesser-known sites often have weaker security infrastructure. Data breaches happen daily on all types of services — from large to small.
❌ "My password is strong because it contains a number and a capital letter"
"Password1" meets those criteria but is cracked in a second. Predictable patterns (P@ssw0rd, Name1234) are first on dictionary attack lists.
❌ "I change my password every 3 months — I'm safe"
NIST no longer recommends forced password rotation. Frequent changes encourage users to use weaker and more predictable passwords (e.g. adding a number at the end). Change only if you suspect a compromise.
❌ "I save my password in the browser — that's enough"
Browser passwords are not encrypted the same way as in a dedicated manager. On a shared computer or with profile access, passwords are easily accessible. A dedicated manager offers significantly stronger protection.
❌ "Nobody will target me — I'm not important"
99% of attacks don't target individuals but lists of passwords from leaked databases. Automated bots constantly try combinations on millions of accounts — it makes no difference whether you're "important" or not.
Security tips — quick overview
✓ Do this
- Use a different password for every account
- Use a password manager
- Enable 2FA on all important accounts
- Use passphrases — long and memorable
- Regularly check for breaches — use Check password on Geslar
- Your master password should be the strongest of all
- Use a unique email alias for sensitive services
✗ Avoid this
- Writing passwords on paper or in an unencrypted document
- Same password in multiple places (even with small variations)
- Personal data in passwords — name, date, city
- Sharing passwords via email or SMS
- Logging into sensitive accounts on public Wi-Fi without a VPN
- Storing passwords in the browser without a master password
- Ignoring data breach alerts
Take control of your passwords
Military-grade encryption, local, free with no limits.
Reporting Security Vulnerabilities
If you've discovered a security flaw in Geslar — the generator, Škrinjar extension, Ključar app, or infrastructure — please report it responsibly. We value the work of security researchers and commit to a timely response.
Contact
Send an email describing the issue, reproduction steps, and potential impact. Encrypt your message with PGP if possible.
security@geslar.app
security@geslar.app
Scope
In scope: geslar.app, *.geslar.app, Škrinjar Chrome/Firefox/Edge extension, Ključar Android/iOS app. Out of scope: third-party services (Cloudflare, Lemon Squeezy), social engineering, physical access, DoS testing.
Our Response
Acknowledgement within 48h. Initial assessment within 7 days. Prioritized fix for critical and high-severity issues. Public acknowledgement (with your consent) after resolution.
Machine-readable contact info available at:
/.well-known/security.txt