02
14 min read · 6 briefings

Lock Your Accounts

One password manager, one good MFA setup, one hardened recovery path — checkmate, bots.

01 Why Passwords Fail

Passwords fail because of an impossible job description: be long and random, be different for every account, never be written down, and be memorized by a human brain. Nobody can do this for the hundred-plus accounts modern life demands. So people compromise the only way they can — reuse — one decent password (plus variations) across everything.

Now add breaches. Sites get hacked constantly, and their credential databases leak. Those leaks get merged into combo lists holding billions of email-password pairs. Then comes credential stuffing: bots take the list and try every pair against every valuable site — banks, email providers, retailers — at machine speed. If your LinkedIn password from an old breach matches your current email password, a bot discovers that within hours of the list circulating.

Read the mechanism carefully, because it reassigns the blame: your accounts don't fall because someone guessed cleverly, and not because you were targeted. They fall because some other company got breached, and reuse turned their incident into your incident. Password strength doesn't even enter into it — a magnificent 30-character passphrase, reused, is one breach away from public.

Signal boost: The rule that matters most is not 'strong passwords.' It is 'unique passwords.' Uniqueness contains breaches; strength just delays cracking. You want both, but if you fix only one thing, fix reuse.

02 The Manager Move

A password manager resolves the impossible job description by deleting the memorization requirement. It generates a long random password for every account, stores them all in an encrypted vault, and fills them automatically. You memorize exactly one thing: the master passphrase. One strong secret guarding a hundred perfect ones beats a hundred weak, reused secrets — that's the whole trade, and it's lopsided in your favor.

The standard objection: "isn't that a single point of failure?" Reasonable question, three-part answer. First, reputable managers use end-to-end encryption — the vault is encrypted with keys derived from your master passphrase, so even the vendor can't read it; a thief needs both your vault and your master. Second, you already have a single point of failure — your email account — except it's guarding everything while protected by a password you chose in 2014. Third, the realistic alternative isn't a hundred memorized unique passwords; it's reuse, which is a hundred points of failure.

Bonus defense nobody advertises enough: autofill is phishing-resistant. Your manager fills credentials only on the exact domain it saved them for. On a lookalike domain, it silently offers nothing — a machine-precision check on a thing humans are terrible at, namely reading URLs under pressure.

Field tip: Don't migrate a hundred accounts in one heroic evening — you'll quit. Install the manager, move your top ten by blast radius (email first, then banks), and let the rest migrate naturally as you log in over the coming weeks.

03 Passphrases and the Entropy Intuition

Your master passphrase is the one secret you still memorize, so make it strong the smart way. Strength is measured in entropy — roughly, how many guesses an attacker needs. The intuition to install: entropy grows slowly with complexity but explosively with length and randomness.

Compare two candidates. Tr0ub4dor! looks tough, but it's a dictionary word with predictable substitutions — patterns cracking software tries early. Attackers don't guess character-by-character; they guess human habits: word plus year, capital first, exclamation last. Complexity theater defeats none of that.

Now take four-to-six words chosen genuinely at random from a large word list — the diceware method, the idea behind the famous XKCD "correct horse battery staple" comic. Each random word from a few-thousand-word list adds substantial entropy; five of them yields a search space measured in quintillions, comfortably beyond realistic offline cracking. And it's memorable, because your brain stores images and stories far better than symbol soup.

The one non-negotiable: the words must come from actual randomness — dice, or your manager's generator — not from your head. Your favorite song lyric, your kids' names, anything meaningful to you is exactly what a motivated guesser (or a bot fed your social media) tries first. Random or nothing.

And to be clear about scope: this artisanal effort is for the master passphrase and maybe your computer login. Every other password should be machine-generated gibberish you never see.

04 MFA, Ranked

Multi-factor authentication means the password alone isn't enough — a second proof is required. Any MFA beats none by a wide margin; a large 2019 study by Google with NYU and UCSD found that adding even SMS challenges blocked essentially all automated bot attacks. But the flavors are not equal:

MethodStrengthWeakness
SMS codesStops bots and most bulk phishingVulnerable to SIM swapping and real-time phishing relay
Authenticator app (TOTP)No SIM to steal; codes generated on-deviceStill phishable — you can be tricked into typing the code into a fake site
Hardware key / passkeyPhishing-resistant by designCosts a little setup effort (keys cost money; passkeys don't)

The gap that matters is the last row. SMS and TOTP produce codes that you can be socially engineered into surrendering — a fake login page happily accepts your real code and replays it. Hardware keys and passkeys perform a cryptographic exchange bound to the website's true identity; there is no code to steal, and the key simply won't authenticate to an impostor domain. The human can't be tricked into something the protocol makes impossible.

About SIM swapping, since it's why SMS ranks last: attackers persuade or bribe carrier staff to move your number to their SIM, then receive your codes. It's a social engineering attack on the carrier, not on you — set a PIN or port-freeze on your mobile account to raise the cost.

Priority order: email and finance first, best method each account offers, SMS only when it's the only option — it still beats nothing.

05 Passkeys, Plainly

Passkeys are the industry's replacement for passwords, built on the FIDO2/WebAuthn standards and now supported by Apple, Google, Microsoft, and a fast-growing share of major sites. Here's the plain-language version of what happens.

When you create a passkey, your device generates a matched pair of cryptographic keys. The public key goes to the website; the private key never leaves your device (or your synced keychain). At login, the site sends a one-time challenge; your device signs it with the private key after you unlock with fingerprint, face, or PIN; the site verifies the signature with its public copy. Watch what never happened: no secret traveled over the network, and the site stores nothing worth stealing — a breached server yields only public keys, useless to attackers.

The quiet superpower is phishing resistance. The signature is cryptographically bound to the genuine site's identity, so a pixel-perfect fake login page gets nothing — there's no password to type, no code to relay, nothing for the con to con. Entire categories of attack simply don't apply.

Common worries, answered: your biometric never leaves your device — it only unlocks the key locally. Losing your phone isn't lockout, because passkeys sync through your platform account (itself recoverable) and sites let you register multiple. Adoption is the honest current limitation, so the practical setup today is a password manager for everything, passkeys layered on wherever offered — email and bank first.

06 Recovery Paths: The Skeleton Key Problem

Attackers read login screens the way burglars read houses: ignore the reinforced door, check the windows. The windows are recovery paths — "forgot password" flows, security questions, backup emails, SMS resets. Your effective security is the security of your weakest recovery path, not your strongest login. A passkey-protected account that resets via an old Yahoo address is a passkey-protected account with a Yahoo-grade lock.

Walk your perimeter:

  • Fortify the root. Your primary email terminates most reset chains, so it gets your best everything: strongest MFA available, and check which other address can reset it — secure that one too, or remove it.
  • Purge stale doors. Audit recovery emails and phone numbers on your important accounts. That defunct address from two jobs ago? If its provider recycles usernames, someone can register it and inherit your resets.
  • Lie to security questions. Your mother's maiden name is in public records; your first pet is on Instagram. Treat security questions as extra passwords: answer with random strings, store them in your manager. Nothing requires truth — only consistency. This one move also neutralizes most OSINT-driven recovery attacks.
  • Save the recovery codes. When you enabled MFA, the site offered one-time backup codes. Store them in your manager or print them — they're the difference between a lost phone being an errand and being a catastrophe.
  • PIN your carrier account. That's the anti-SIM-swap move, protecting every account that still leans on your number.

One focused hour, once a year. It's the least glamorous work in this track and quite possibly the highest-value.

Field Glossary

Credential stuffing
Automated replay of leaked email-password pairs against many sites, converting one company's breach into account takeovers everywhere the password was reused.
Password manager
An encrypted vault that generates, stores, and autofills unique passwords, reducing your memorization burden to a single master passphrase.
Entropy
A measure of a secret's unpredictability — how many guesses it survives. Grows explosively with length and true randomness, barely at all with decorative complexity.
TOTP
Time-based one-time passwords from an authenticator app. Stronger than SMS (no SIM to hijack) but still phishable, since users can be tricked into relaying codes.
Passkey
A FIDO2/WebAuthn credential using public-key cryptography: the private key stays on your device, nothing phishable crosses the network, and breached servers yield nothing useful.
SIM swapping
Socially engineering a mobile carrier into moving a victim's number to the attacker's SIM, intercepting calls and SMS codes. Countered by carrier PINs and non-SMS MFA.

Knowledge Check

Field Assessment

0 / 3

01 What actually enables most account takeovers via credential stuffing?

02 Why do hardware keys and passkeys rank above authenticator-app codes?

03 Why should you give fictional answers to security questions?

ESC
↑↓ navigate jack in