Passwords & MFA

The problem

Why Passwords Fail

Most people know they should use strong passwords. Most people do not. According to surveys by password management companies and security researchers, the most commonly used passwords in the world are still "123456," "password," "qwerty," and "123456789." Millions of people use their pet's name, their birthday, or the word "password" with a few numbers tacked on the end. Attackers know this, and they exploit it relentlessly.

The biggest problem with passwords is not that people choose weak ones — it is that people reuse them. The average person has over 100 online accounts, but most people rotate between three to five passwords for all of them. This means that when one website suffers a data breach and your password is exposed, every other account that uses the same password is also compromised. Attackers do not have to guess your password — they already have it from the last breach.

This is called credential stuffing. Here is how it works: a website gets hacked, and the database of usernames and passwords is stolen. That database is then sold or shared on criminal forums. Attackers use automated tools to try every stolen username-and-password combination on hundreds of other websites — Gmail, Facebook, Amazon, your bank — at a rate of thousands of attempts per second. If you used the same email and password on the breached site and your bank, the attacker is now in your bank account. This is not theoretical — credential stuffing attacks happen constantly and are responsible for billions of unauthorized login attempts every year.

Even if you do not reuse passwords, a weak password can be cracked through brute force — which means a computer tries every possible combination until it finds yours. A simple six-character password made of lowercase letters can be cracked in seconds. An eight-character password with mixed case and numbers might take hours. But a 16-character password with random words? That could take thousands of years, even with the most powerful computers available today. Length is the single most important factor in password strength.

The common response to this problem — corporate password policies that require uppercase letters, numbers, and special characters — has actually made things worse. When people are forced to create passwords like "P@ssw0rd!" or "Summer2025!", they think they have created something strong, but these patterns are extremely predictable. Attackers have dictionaries of these common substitutions and patterns. A password like "Tr0ub4dor&3" is far weaker than a simple four-word phrase like "correct horse battery staple" — despite looking more complex to a human eye.

The bottom line: if you are using the same password on more than one site, or if your passwords are shorter than 12 characters, your accounts are significantly more vulnerable than they need to be. The good news is that fixing this problem is easier than you might think.

The solution

How to Build a Strong Password

Forget everything you have been told about requiring uppercase letters, numbers, and symbols. The single most important factor in password strength is length. A long password made of simple words is far stronger than a short password packed with special characters. Security researchers and organizations like NIST (the National Institute of Standards and Technology) now recommend passphrases over complex short passwords.

The passphrase method

A passphrase is a password made of four or more random words strung together. For example: maple kitchen rocket eleven or sunset camera dolphin library. These are easy to remember because your brain naturally creates a mental image of the words together, but they are extremely difficult for computers to crack because of their length. A four-word passphrase is typically 20+ characters long, which makes brute-force attacks impractical.

Rules for strong passwords

• Minimum 12 characters — 16 or more is better. Four random words will typically get you to 20+ characters naturally.
• Use truly random words. Do not use a famous quote, song lyric, or predictable phrase. "I love you forever" is a terrible passphrase because it is common. Use unrelated words: "bicycle trumpet gravel moon."
• Never include personal information. Your name, birthday, pet's name, address, phone number, or anniversary are all easy for an attacker to find through social media or data breaches. If it is on your Facebook profile, it should not be in your password.
• Every account gets its own password. This is the most important rule. No matter how strong your password is, if you use it on two sites and one of them gets breached, both accounts are compromised.
• Do not use common substitutions. Replacing "a" with "@" or "o" with "0" adds almost no security. Attackers already account for these patterns.

Your best tool

Password Managers: Your New Best Friend

"But I have over a hundred accounts — I can't possibly remember a unique password for each one." You are right. And you do not have to. That is exactly what a password manager is for.

A password manager is a secure digital vault that stores all of your passwords in one encrypted place. You create one strong master password to unlock the vault, and the password manager remembers everything else. When you visit a website, the password manager automatically fills in your username and password. When you create a new account, it generates a strong, random password for you. You never have to remember, type, or even see any individual password — the manager handles all of it.

Think of it like a physical safe for your valuables. Instead of hiding your jewelry in twenty different places around your house (and forgetting where you put half of it), you put everything in one safe with a single strong lock. The safe is purpose-built to resist break-ins. Your passwords are encrypted using the same type of cryptography that protects government secrets and bank transactions. Even the password manager company itself cannot read your passwords — only your master password can decrypt them.

Recommended free options

You do not need to spend money to use a good password manager. Here are three trustworthy options that are free:

• Bitwarden — Free and open source. Works on every platform: Windows, Mac, Linux, iOS, Android, and every major browser. The free tier includes unlimited passwords across unlimited devices. This is the best option for most people because it works everywhere and is independently audited for security.
• Apple Keychain (iCloud Passwords) — Built into every iPhone, iPad, and Mac. If you are entirely within the Apple ecosystem, this works seamlessly with zero setup. It also has a Windows app now. The downside is that it is less full-featured than dedicated managers and is most useful if all your devices are Apple.
• Google Password Manager — Built into Chrome and Android. If you use Chrome as your primary browser and have an Android phone, this is the easiest option to start with since it is already there. Like Apple Keychain, it works best if you are within one ecosystem (Google/Chrome).

How to get started: step by step

1. Choose a password manager. If you are not sure, start with Bitwarden — it is free, works everywhere, and is highly recommended by security professionals.
2. Install it. Download the app on your phone and the browser extension on your computer. For Bitwarden, go to bitwarden.com and follow the download links for your devices.
3. Create your master password. This is the one password you will need to remember. Make it a strong passphrase — four or more random words, at least 16 characters. Write it down on paper and store it somewhere safe (like a locked drawer), not on your computer. This is the only password you should ever write down.
4. Start saving your passwords. As you log into your accounts over the next few days, your password manager will offer to save each one. Accept the prompt. Over a week or two, your vault will naturally fill up with all your accounts.
5. Change your most important passwords first. Start with your email, bank, and any accounts that hold sensitive information. Let the password manager generate strong, unique passwords for each. You do not need to do all 100+ accounts at once — prioritize and work through them gradually.

Second layer

What Is Multi-Factor Authentication?

Even the strongest password in the world is not enough if it gets stolen in a data breach or intercepted by malware. That is where multi-factor authentication (MFA) comes in — also called two-factor authentication (2FA) or two-step verification. MFA adds a second layer of proof that you are really you, on top of your password.

The concept is simple: instead of relying on just something you know (your password), MFA requires you to also prove your identity with something you have (your phone, a hardware key) or something you are (a fingerprint, face scan). Even if an attacker steals your password, they cannot log into your account without also having your phone or your fingerprint. It is like a front door that requires both a key and a fingerprint scan — having one without the other is not enough to get in.

Types of MFA, from basic to best

SMS text codes are the most common form of MFA. After entering your password, the website sends a six-digit code to your phone via text message. You type in the code to complete the login. This is better than having no MFA at all, but it has a known weakness: an attack called SIM swapping, where a criminal convinces your phone carrier to transfer your phone number to a new SIM card they control. Once they have your number, they receive your text codes. Despite this vulnerability, SMS MFA still blocks the vast majority of automated attacks.

Authenticator apps are the recommended option for most people. Apps like Google Authenticator, Microsoft Authenticator, or Authy generate a time-based code that changes every 30 seconds. The code is generated entirely on your device — it is never sent over a network, which means it cannot be intercepted through SIM swapping or phone number hijacking. The setup is simple: you scan a QR code once, and the app generates codes for that account from then on. These apps are free and available for both iPhone and Android.

Hardware security keys like YubiKey or Google Titan are small physical devices that plug into your computer's USB port or communicate wirelessly via NFC. They are the strongest form of MFA available because they are immune to phishing — the key verifies the actual website's identity, so even if you were on a fake site, the key would refuse to authenticate. Hardware keys are excellent for anyone who wants the highest level of security, but they are not required for most people. They typically cost $25–50 and are worth considering for your most important accounts.

How MFA works in practice

Here is what the experience looks like day to day: you go to log into your email. You type your password as usual. The website then asks for your second factor. You open your authenticator app, see a six-digit code that is valid for the next 25 seconds, type it in, and you are logged in. The whole process adds about five seconds. Most services also offer a "remember this device" option so you only need the second factor when logging in from a new device or location — meaning you rarely have to enter the code on your personal computer or phone after the first time.

Step by step

How to Set Up MFA

Setting up MFA is straightforward and usually takes less than five minutes per account. The exact steps vary slightly depending on the service, but the general process is the same everywhere. Here is a walkthrough:

General setup process

1. Log into the account you want to protect. Start with your email — it is the most important account to secure because it is how you reset passwords for everything else.
2. Go to your account settings. Look for a section called "Security," "Login & Security," "Sign-in & Security," or "Privacy & Security." This is where MFA settings live on every major platform.
3. Find the two-factor or multi-factor option. It might be labeled "Two-Step Verification," "Two-Factor Authentication," "2FA," or "MFA." Click to enable it.
4. Choose your method. Select "Authenticator app" if available (recommended). The site will show you a QR code.
5. Open your authenticator app and scan the QR code. If you are using Google Authenticator or Microsoft Authenticator, tap the "+" button, then "Scan QR code," and point your camera at the code on screen. The app will immediately start generating six-digit codes for that account.
6. Enter the code to confirm. The website will ask you to type in the current code from your app to verify that everything is working.
7. Save your backup codes. Most services provide a set of one-time backup codes — typically 8 to 10 codes — that you can use if you lose access to your authenticator app (for example, if you lose your phone). Write these down on paper and store them somewhere safe, like with your important documents. Do not skip this step.

Protect these accounts first

You do not need to set up MFA on every account at once. Prioritize these, in this order:

1. Your primary email account (Gmail, Outlook, Yahoo, etc.) — this is the master key to everything
2. Your bank and financial accounts — where your money lives
3. Social media accounts (Facebook, Instagram, etc.) — high-value targets for impersonation
4. Cloud storage (Google Drive, iCloud, Dropbox) — may contain sensitive documents
5. Shopping accounts (Amazon, PayPal) — have your payment methods saved

Avoid these

Common Mistakes

Even people who use passwords and MFA can undermine their own security through a few common habits. Avoiding these mistakes is just as important as having a strong password in the first place.

Using SMS for everything

SMS codes are better than no MFA at all, but they are the weakest form of multi-factor authentication. The specific risk is SIM swapping: a criminal calls your phone carrier, pretends to be you, and convinces them to transfer your phone number to a new SIM card. Once they have your number, they receive all your text messages — including your MFA codes. This attack has been used to steal millions of dollars in cryptocurrency and to take over high-profile social media accounts. For your most important accounts (email, banking), use an authenticator app instead of SMS whenever the option is available.

Writing passwords on sticky notes

A sticky note on your monitor, a note on your desk, or a password written in a notebook that sits next to your computer defeats the purpose of having a password. Anyone who walks by — a coworker, a visitor, a cleaning crew member, a roommate — can see it. If you absolutely must write down a password (like your master password for your password manager), store it in a locked drawer or a physical safe, separate from your computer. Better yet, memorize your master passphrase and keep a written backup only in a truly secure location.

Sharing passwords

Sharing your Netflix, Spotify, or Amazon password with family or friends feels harmless, but it increases your exposure. Every person who has your password is another potential point of failure — they might save it in a browser that gets compromised, share it with someone else, or use it on a phishing site without realizing it. If you need to share access to an account, use the sharing features built into your password manager (Bitwarden has a free "Send" feature, for example) or use the account's built-in family/sharing plan.

Using the same password "with slight variations"

Many people think they are being clever by using "MyPassword1" for one site, "MyPassword2" for another, and "MyPassword3" for a third. Attackers are not fooled by this. When they obtain one of your passwords in a breach, they automatically try variations — adding or changing the last character, swapping numbers, appending the site name. A pattern like "chase_MyPassword" and "gmail_MyPassword" is trivial to crack once any single version is exposed. Truly unique means having no relationship between passwords for different accounts. Let your password manager generate them.

Not saving backup codes

When you enable MFA, most services give you a set of one-time backup codes. Many people skip this step or dismiss it. Then, when their phone breaks, gets lost, or is factory-reset, they are locked out of their own accounts with no way back in. Recovery without backup codes can take days or weeks, often requiring photo ID verification, waiting periods, and sometimes never succeeding at all. Write your backup codes on paper, label which account they are for, and store them in a safe place. This takes two minutes and can save you from a catastrophic lockout.

Never checking if your data has been breached

Many people assume they have never been affected by a data breach. The reality is that almost everyone has had their email and password exposed in at least one breach. The website haveibeenpwned.com, run by security researcher Troy Hunt, lets you enter your email address and see which data breaches have included your information. If your email appears in a breach, any password you were using on that site at the time of the breach should be considered compromised and changed immediately — along with any other account where you used that same password.

Take action

What to Do Right Now

These five actions will transform your account security from vulnerable to resilient. Each one builds on the last, and all five can be completed in under an hour: