2/8

Lesson 2 15 min

Password Security and Management

Create unbreakable passwords, set up a password manager, and enable two-factor authentication on your most important accounts.

Premium Course Content

This lesson is part of a premium course. Upgrade to Pro to unlock all premium courses and content.

Access all premium courses
1000+ AI skills included
New content added weekly

← Back to course overview

Your Passwords Are Probably Compromised

Here is a reality check: if you have been using the internet for more than a few years, at least one of your passwords has been exposed in a data breach. It may have happened years ago without your knowledge.

By the end of this lesson, you will have a password manager set up, unique passwords on your critical accounts, and two-factor authentication protecting your most important logins.

Quick Recall: In the previous lesson, we learned that credential stuffing (reused passwords) and phishing are the two most common attack vectors. Let us eliminate the first one right now.

Why Your Current Passwords Are Not Safe

The password problem:

Common Habit	Why It Is Dangerous
Using the same password everywhere	One breach exposes all accounts
Simple passwords (name + birthdate)	Cracked in seconds by automated tools
Adding “!” or “1” to meet complexity rules	Attackers know these patterns
Writing passwords in a note on your phone	Anyone with your phone has all your passwords
Using browser “remember password” without a master password	Anyone with access to your computer has everything

Check if you have been breached: Visit haveibeenpwned.com and enter your email. This legitimate site (run by security researcher Troy Hunt) checks if your email appeared in known breaches. Most people are surprised by the results.

What Makes a Password Strong

Password strength comes from two factors: length and randomness.

Length matters most:

Password	Characters	Time to Crack
`cat123`	6	Instantly
`P@ssw0rd!`	9	Hours
`MyDogFluffy2024`	16	Days (but dictionary-based, so faster)
`kX9#mP2vL$nQ8wR!`	16 random	Centuries
`correct-horse-battery-staple`	28 random words	Centuries

The passphrase method: String together 4-6 random words. “purple-telescope-marble-seventeen” is easier to remember than “kX9#mP2v” and harder to crack.

Quick Check: Why is a long random password safer than a short complex one? Think about how cracking tools work.

Password Managers: The Solution

A password manager remembers all your passwords so you do not have to. You remember one strong master password. The manager handles everything else.

How it works:

You create one strong master password (the only one you memorize)
The manager generates random, unique passwords for every site
It auto-fills login forms so you never type passwords
All passwords are encrypted on your device

Recommended password managers:

Manager	Price	Best For
Bitwarden	Free (basic), $10/year (premium)	Best free option
1Password	$3/month	Families and ease of use
Apple Passwords	Free (Apple devices)	iPhone/Mac users
Google Password Manager	Free	Chrome/Android users

Setting up a password manager (30 minutes):

Choose a manager from the list above
Install the browser extension and mobile app
Create a strong master password (use a passphrase you can remember)
Import any passwords your browser has saved
Start changing passwords on your most important accounts to unique, generated ones

Priority accounts to secure first:

Email (this is the master key to everything)
Banking and financial accounts
Social media (often used for single sign-on)
Cloud storage (Google Drive, iCloud, Dropbox)
Shopping accounts with saved payment methods

Two-Factor Authentication (2FA)

Passwords alone are not enough. Two-factor authentication adds a second layer:

Something you know (password) + something you have (phone, security key)

Even if someone steals your password, they cannot log in without the second factor.

Types of 2FA (ranked by security):

Type	Security Level	How It Works
Hardware key (YubiKey)	Highest	Physical key you plug in
Authenticator app (Authy, Google Authenticator)	High	Code that changes every 30 seconds
Push notification	High	Approve login on your phone
SMS text code	Moderate	Code sent via text (vulnerable to SIM swap)
Email code	Low	Code sent to email (attackers may have your email too)

Use authenticator apps over SMS when possible. SMS can be intercepted through SIM swapping. Authenticator apps are local to your device.

Quick Check: Why are authenticator apps more secure than SMS codes for two-factor authentication?

Enable 2FA Now

Enable two-factor authentication on these accounts today:

Email (Google, Microsoft, Apple): This protects everything
Banking: Most banks offer 2FA; enable it
Social media: Facebook, Instagram, Twitter/X, LinkedIn
Cloud storage: Google Drive, iCloud, Dropbox

For each account:

Go to Settings > Security > Two-Factor Authentication
Choose authenticator app option when available
Save backup codes in your password manager (these let you in if you lose your phone)

Password Security Checklist

Run this checklist right now:

PASSWORD AUDIT
[ ] Checked haveibeenpwned.com for breached accounts
[ ] Installed a password manager
[ ] Created a strong master password (16+ characters or 4+ word passphrase)
[ ] Changed email password to unique, generated password
[ ] Changed banking passwords to unique, generated passwords
[ ] Enabled 2FA on email account
[ ] Enabled 2FA on banking accounts
[ ] Saved 2FA backup codes in password manager
[ ] Turned off browser password saving (password manager handles this now)

Try It Yourself

Secure your most important accounts in the next 30 minutes:

Install Bitwarden (free) or another password manager
Create a master password using the passphrase method
Change your email password to a manager-generated unique password
Enable two-factor authentication on your email
Change passwords on your two most important financial accounts

You have just eliminated the number one attack vector against personal accounts. Everything else in this course adds layers on top of this foundation.

Key Takeaways

Password reuse is the single biggest security vulnerability for most people; one breach exposes everything
Password strength comes from length and randomness: use 16+ character generated passwords or 4+ word passphrases
A password manager lets you use unique passwords everywhere while only remembering one master password
Two-factor authentication adds a critical second layer of defense; use authenticator apps over SMS when possible
Secure email first because it is the master key to resetting all other account passwords

Up Next

In Lesson 3: Spotting Phishing and Social Engineering, we will learn to recognize the tricks attackers use to bypass even the strongest passwords by manipulating you directly.

Knowledge Check

1. Why is password reuse the biggest security risk for most people?

It makes passwords easier to forget When one site is breached, attackers automatically try those credentials on your email, bank, and social media accounts Websites track reused passwords It slows down login speed

2. What makes a password truly strong?

Including special characters like ! and @ Length combined with randomness: a random 16-plus character password or a passphrase of 4-plus random words Changing it every month Using personal information nobody else knows

Answer all questions to check

Complete the quiz above first

Related Skills

Password Audit Guide