1 Why Passwords Still Matter
Despite all the new authentication methods, passwords remain the foundation of account security. Getting them right is crucial.
- 81% of data breaches involve weak or stolen passwords
- The average person has 100+ online accounts
- Password reuse is the #1 mistake people make
- Attackers use "credential stuffing" - trying leaked passwords on other sites
2 Creating Strong Passwords
A strong password is long, random, and unique. Here's how to create them:
- Length matters most: Aim for 14+ characters minimum
- Use passphrases: "Purple$Elephant#Rides!Bicycles" is both strong and memorable
- Mix character types: Uppercase, lowercase, numbers, and symbols
- Avoid personal info: No birthdays, pet names, or sports teams
- Never reuse: Every account gets a unique password
3 Use a Password Manager
You can't remember 100 unique, complex passwords. A password manager does it for you securely.
- Generates random, strong passwords for every site
- Stores them encrypted with one master password
- Auto-fills login forms (saves time and prevents typos)
- Syncs across all your devices
- Can alert you if a password appears in a data breach
Recommended options: Bitwarden (free), 1Password, LastPass, Dashlane
4 What is Multi-Factor Authentication (MFA)?
MFA requires something you know (password) plus something you have (phone, security key) or something you are (fingerprint).
- Even if someone steals your password, they can't log in without the second factor
- Blocks 99.9% of automated attacks according to Microsoft
- Also called 2FA (Two-Factor Authentication) or 2-Step Verification
- Most major sites and services now offer MFA - use it everywhere
5 Types of MFA (Best to Worst)
Not all MFA is created equal. Here's a comparison from most to least secure:
| Method |
Security |
Convenience |
| Hardware Security Key (YubiKey) |
Excellent |
Moderate |
| Authenticator App (Google, Authy) |
Very Good |
Good |
| Push Notification (Duo, Okta) |
Good |
Very Good |
| SMS/Text Message |
Okay |
Very Good |
| Email Code |
Weak |
Good |
SMS is vulnerable to SIM swapping attacks. Use authenticator apps when possible.
6 Setting Up an Authenticator App
Authenticator apps generate time-based codes that change every 30 seconds. Here's how to set them up:
- Step 1: Download an authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
- Step 2: Go to account security settings on the site you want to protect
- Step 3: Find "Two-Factor Authentication" or "2-Step Verification"
- Step 4: Select "Authenticator App" and scan the QR code with your app
- Step 5: Enter the 6-digit code to confirm setup
- Step 6: Save the backup codes somewhere safe (not on your phone)
7 Backup Codes: Don't Skip This!
When you set up MFA, you'll get backup codes. These are your emergency access if you lose your phone.
- Print them and store in a safe or lockbox
- Save them in your password manager's secure notes
- Never store them on your phone (defeats the purpose)
- Each code typically works only once
- Generate new codes if you run low
8 Priority Order for Enabling MFA
You can't enable MFA everywhere at once. Start with the most critical accounts:
- 1. Primary email: This is the "master key" to reset other passwords
- 2. Financial accounts: Banks, investment accounts, PayPal, Venmo
- 3. Cloud storage: Google Drive, iCloud, Dropbox
- 4. Social media: Facebook, Instagram, LinkedIn, Twitter
- 5. Shopping sites: Amazon, eBay, any site with saved payment info
- 6. Everything else: Gaming accounts, subscriptions, forums
Need Help Securing Your Accounts?
Our team can help you set up password managers and MFA across your organization.