Never Hardcode Credentials
Credentials embedded in source code inevitably end up in version control systems. Use environment variables or secrets management tools to inject credentials at runtime. Scan your codebase regularly with tools like git-secrets to catch accidental commits.
Service Account Passwords Should Be Maximally Random
Database connection passwords and API keys are never typed by humans, so memorability is completely irrelevant. Generate them at the maximum length the service accepts, using the full character set. For passwords stored in a configuration system, 32+ random characters provide effectively uncrackable security.
Rotation and Expiration
Unlike human passwords, service credentials benefit from regular programmatic rotation. Automated rotation using secrets management systems can change database passwords on a schedule without any human intervention. This limits the window during which a compromised credential can be exploited.
Least Privilege for Service Accounts
Each service should use dedicated credentials with only the permissions it actually needs. A read-only API should have read-only database credentials. Least privilege contains the blast radius of any single credential compromise.
Infrastructure credentials deserve more security rigor than user passwords, not less. Use a secrets management system, generate maximally random credentials, and rotate them programmatically.