Passwords and Authentication

The Foundation of Everything

If you do nothing else in this entire book, do this chapter. Password security is the single highest-impact action you can take to protect yourself online. Most account compromises — the "hacking" people fear — happen because of weak or reused passwords.

Why Most Passwords Fail

The Reuse Problem

The average person has 100+ online accounts. Most people use the same password — or minor variations — for many of them. When any one of those services is breached (and they are, regularly), attackers try that email-password combination on every major site. This is called credential stuffing, and it's automated, fast, and devastatingly effective.

The Weakness Problem

"Password123," "qwerty," your dog's name, your birthday, your spouse's name plus a number — attackers know all of these. They use lists of the most common passwords and dictionaries of personal information scraped from social media. If your password contains real words, names, or dates, it's vulnerable.

The Length Problem

A truly random 8-character password can be cracked in hours with modern hardware. A 16-character random password would take millions of years. Length is the single most important factor in password strength, far more than adding symbols or numbers.

The Solution: Password Managers

A password manager generates, stores, and auto-fills unique, random passwords for every account. You remember one master password. The manager remembers the other hundred.

How They Work

You install the password manager app on your phone and computer, plus a browser extension. When you log into a site, the manager auto-fills your credentials. When you create a new account, it generates a random password and saves it. Everything is encrypted — even the password manager company can't see your passwords.

Recommended Password Managers

Bitwarden — Free, open-source, excellent. The best option for most people. Premium tier ($10/year) adds extras but the free version is fully functional.

1Password — $36/year. Polished, user-friendly, excellent family plan. The best option if you're willing to pay.

Apple Passwords — Built into iPhone, iPad, and Mac. Free, seamless within the Apple ecosystem. Limited outside Apple devices.

Google Password Manager — Built into Chrome and Android. Free. Convenient but ties your security to your Google account.

Setting Up a Password Manager

The transition from memory-based passwords to a password manager takes about an hour of setup, then days of gradual migration as you log into sites and update passwords.

Step 1: Choose a manager and install it on all your devices.

Step 2: Create a strong master password — the only password you need to remember. Make it long (16+ characters), memorable, and unique. A passphrase works well: "correct-horse-battery-staple" is stronger than "P@ssw0rd!" and easier to remember.

Step 3: As you log into sites over the next few weeks, save each login to the manager and replace weak/reused passwords with generated ones.

Step 4: Prioritize critical accounts first: email, banking, social media, anything with financial data.

AI Prompt: Password Security Audit

Help me audit my password security.

Current approach: [describe how you manage passwords now]
Number of online accounts (estimate): [number]
Do I reuse passwords: [yes/no/sometimes]
Accounts I'm most concerned about: [list critical ones]
Have I been in any known data breaches: [check HaveIBeenPwned.com]

Please:
1. Assess my current risk level
2. Recommend a password manager for my situation
3. Create a step-by-step migration plan
4. Prioritize which accounts to secure first
5. Explain how to create a strong master password
6. What to do about accounts I've forgotten about

Two-Factor Authentication (2FA)

A password alone isn't enough for important accounts. Two-factor authentication adds a second verification step — something you have in addition to something you know.

Types of 2FA (Best to Worst)

Hardware security keys (best): Physical devices like YubiKey. Plug in or tap to authenticate. Virtually impossible to phish. $25–$70 per key.

Authenticator apps (great): Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes. Free and significantly more secure than SMS.

SMS codes (better than nothing): A code texted to your phone. Vulnerable to SIM-swapping attacks but still far better than no 2FA.

Email codes (weakest 2FA): A code sent to your email. Only as secure as your email account.

Where to Enable 2FA

At minimum: email accounts (highest priority — your email is the gateway to everything), bank and financial accounts, social media accounts, cloud storage (Google Drive, iCloud, Dropbox), and any account with payment information.

Passkeys: The Future

Passkeys are a newer authentication technology that replaces passwords entirely. Instead of typing a password, you authenticate with your fingerprint, face, or device PIN. They're phishing-resistant by design and are being adopted by major platforms.

If a service offers passkeys, use them. They're more secure and more convenient than passwords.

The Critical Rule

Every account gets a unique, randomly generated password stored in a password manager. Every important account gets 2FA. No exceptions. No shortcuts.

This single chapter, fully implemented, prevents the vast majority of account compromises.

Next: the attacks that bypass passwords entirely.

Your Digital Footprint — What's Already Out ThereEmail, Phishing, and Social Engineering