NEOAcademy
Lv 100
Security BasicsLesson 2 of 9

Strong passwords and two-step login

The two unglamorous tools that block almost every common attack on your accounts: a password manager and a real second factor. Plus the one account that controls all the others.

7 min read4 quiz questions +1 +10 on pass

Most account takeovers happen because someone reused a password, picked an easy one, or relied on a phone number as their backup. Fixing those three things is not exciting. It is also the single highest-impact thing you can do this week for the security of your money.

This lesson is short on theory and heavy on what to do. The recommendations are standard across every serious security professional. They feel small, they take an evening to set up, and they quietly protect everything you log into.

Why reused passwords are dangerous

Every year, large companies get hacked and their password databases leak. There are now billions of leaked email + password pairs floating around the internet. If you use the same password on two sites, and one of those sites leaks, attackers will automatically try that pair on hundreds of other sites within hours.

This is called credential stuffing. It is fully automated, fully scaled, and it is how most "I got hacked out of nowhere" stories actually start. You do not need to be targeted. You just need to share a password with a service that got breached three years ago.

Use a password manager

A password manager is an app that stores a unique, random password for every site, locked behind one master password (and ideally a hardware key). 1Password and Bitwarden are the two standard choices. Bitwarden has a generous free tier. Whichever you pick, the rules are the same:

  • Every site gets its own unique, randomly generated password. Never reuse.
  • You only ever remember one password: the master one for the manager itself.
  • The master password should be a long phrase you have never used anywhere else.
  • Turn on two-factor login for the password manager itself.
  • Write the master password down on paper, once, and store it somewhere safe at home. If you forget it, nobody can recover it.

The change is gradual. Start with your most important accounts (email, bank, exchanges) this week. As you log in to other sites in the coming months, update each one. Within a few months everything is rotated.

Two-step login: not all factors are equal

Two-step login (also called 2FA or "two-factor authentication") means logging in requires both your password and a second proof: usually a six-digit code. This blocks almost all attacks that rely on a leaked password alone.

But not every second factor is the same. There is a hierarchy:

Second factors, worst to best
  1. SMS to your phone
    avoid when possible
  2. Authenticator app
    much better
  3. Hardware security key
    best for high value

SMS is the weak option

SMS-based 2FA sounds fine, but it has a quiet problem. Attackers can convince phone carriers to transfer your number to a new SIM card they control. This is called a SIM swap. It happens often enough that any account holding meaningful value should not depend on SMS as a second factor.

Authenticator apps are the right baseline

Apps like Google Authenticator, Authy, Aegis (Android), Raivo (iOS), or 1Password generate the six-digit codes on your phone without needing a network. They are immune to SIM swaps. When a site asks how you want to set up 2FA, "authenticator app" is the answer for almost every account that holds value.

Hardware keys are the gold standard

A physical USB key like a YubiKey is the strongest option. It is also overkill for most accounts. For email, exchanges, and large brokerages, it is a worthwhile $30–$50 upgrade. Buy two: one to use, one as a backup.

Your email is the master key

One account is more important than all the others combined: your email. If someone takes over your email, they can reset the password on every other account by clicking "forgot password" and intercepting the link. Every other piece of security you set up assumes the email is safe.

So the email deserves the strongest setup you have. Unique long password. Authenticator app or hardware key as second factor. Recovery options reviewed (more on that below).

Recovery codes and backup options

When you turn on two-step login, the site will offer "recovery codes" or "backup codes." These are one-time-use codes that can log you in if you lose your phone. Save them somewhere they cannot be lost or stolen.

  • Print them on paper and keep them in a drawer or safe.
  • Or save them in your password manager (which is itself protected by 2FA).
  • Never store them in plain text on your computer or in a regular email.
  • Review them once a year so you actually have a path back if your phone breaks.

The 30-minute starter setup

If this all feels like a lot, here is the minimum that gives you most of the protection:

  • Install a password manager (Bitwarden free, 1Password paid).
  • Change your email password to a fresh, unique, random one stored in the manager.
  • Install an authenticator app (Google Authenticator, Authy, Aegis, or Raivo).
  • Turn on authenticator-app 2FA for your email and any financial accounts.
  • Save the recovery codes somewhere offline.

Most attacks are stopped by something boring. The trick is doing the boring thing before you need it.

With your accounts behind a password manager and a real second factor, you have closed off most of the easy attack paths. The next lesson is about the attacks that no password manager can block: the human side, where someone messages you and convinces you to hand over what they need.