Passwords, Passkeys & MFA

Stolen and reused passwords are behind a huge share of all account hacks. The fixes are simple, free, and take an afternoon to set up — yet most people never do them. In this lesson you will build a rock-solid account-security foundation and use AI to walk you through every step on whatever devices you actually own.

What You'll Learn

What makes a password strong (and why "complexity" is overrated)
How password managers eliminate the hardest part of security
What multi-factor authentication is and why it stops most attacks
What passkeys are and why they may replace passwords entirely

What Actually Makes a Password Strong

For years we were told to use passwords like P@ssw0rd! — short but "complex." It turns out that advice was backwards. Computers crack short passwords instantly no matter how many symbols you add. What defeats them is length.

A long passphrase of random words — correct-horse-battery-staple-river — is both easier to remember and vastly harder to crack than Xk7!q. The principles that matter:

Length beats complexity. Aim for at least 16 characters; longer is better.
Uniqueness beats everything. A different password for every account means one breach cannot cascade.
Randomness matters. Avoid names, birthdays, pet names, and anything guessable from your social media.

Want to understand the math? Ask ChatGPT:

Explain to a beginner why a long passphrase is harder to crack than a short complex password. Use a simple analogy and avoid heavy math.

Password Managers: The Single Best Upgrade

Here is the catch with "use a unique 16-character password everywhere": no human can remember dozens of them. That is exactly the problem a password manager solves. It generates, stores, and auto-fills a unique strong password for every site. You remember one strong master password; it remembers the rest.

Reputable free options include Bitwarden and the password managers built into Apple, Google, and major browsers. Setting one up is the highest-impact hour you can spend on security.

Ask Claude to coach you through it:

Act as a security coach. Walk me through setting up Bitwarden as a complete beginner, step by step. Explain how to create a strong master password I can remember, and how to start moving my existing accounts into it safely.

Multi-Factor Authentication (MFA)

Multi-factor authentication — also called two-factor authentication (2FA) — adds a second proof of identity beyond your password. So even if an attacker steals your password, they still cannot get in. The "factors" are:

Something you know — your password.
Something you have — your phone, an authenticator app, or a security key.
Something you are — your fingerprint or face.

Not all MFA is equal. From strongest to weakest:

Hardware security keys (like a YubiKey) — strongest, phishing-resistant.
Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) — generate rotating codes, no signal needed.
SMS text codes — better than nothing, but vulnerable to "SIM-swap" attacks. Use only if no better option exists.

The priority: turn on MFA for your email first (it is the master key that resets all your other accounts), then banking, then social media. Ask Gemini:

Give me a prioritized, beginner-friendly checklist for turning on multi-factor authentication across my most important accounts. Recommend authenticator apps over SMS where possible, and explain why.

Passkeys: The Passwordless Future

You may have started seeing "passkeys" offered by Google, Apple, and others. A passkey replaces the password entirely with a secure key stored on your device and unlocked by your fingerprint, face, or PIN. There is nothing to type, nothing to phish, and nothing to leak in a breach.

Passkeys are phishing-resistant by design — a major leap forward. If a service offers a passkey, it is usually the most secure option available. To understand them, ask:

Explain passkeys to a complete beginner. How are they different from passwords, why are they considered more secure, and how do I start using them on my phone?

A Quick Hands-On Exercise

Pick your primary email account right now and do two things in the next twenty minutes:

Ask ChatGPT: "Walk me through enabling an authenticator-app-based two-factor authentication on [Gmail / Outlook / your provider], step by step for a beginner."
Actually follow the steps and turn it on.

Your email is the master key to your digital life — securing it is the most important single action in this entire course. Do it before you move on.

Your Homework for This Lesson

This week, install a password manager and turn on MFA for your three most important accounts (email, banking, primary social media). Use AI to coach you through each one. If you do only this homework and nothing else from the course, you will already be safer than the large majority of internet users.

Key Takeaways

Password length beats complexity, and uniqueness beats everything — aim for 16+ character unique passwords.
A password manager (like the free Bitwarden) generates and remembers unique passwords so you only memorize one.
MFA adds a second factor so a stolen password alone cannot unlock your account; authenticator apps beat SMS codes.
Secure your email first — it is the master key that can reset all your other accounts.
Passkeys replace passwords with a device-stored key unlocked by biometrics, and are phishing-resistant by design.

Passwords, Passkeys & MFA

What You'll Learn

What makes a password strong (and why "complexity" is overrated)
How password managers eliminate the hardest part of security
What multi-factor authentication is and why it stops most attacks
What passkeys are and why they may replace passwords entirely

What Actually Makes a Password Strong

A long passphrase of random words — correct-horse-battery-staple-river — is both easier to remember and vastly harder to crack than Xk7!q. The principles that matter:

Length beats complexity. Aim for at least 16 characters; longer is better.
Uniqueness beats everything. A different password for every account means one breach cannot cascade.
Randomness matters. Avoid names, birthdays, pet names, and anything guessable from your social media.

Want to understand the math? Ask ChatGPT:

Explain to a beginner why a long passphrase is harder to crack than a short complex password. Use a simple analogy and avoid heavy math.

Password Managers: The Single Best Upgrade

Reputable free options include Bitwarden and the password managers built into Apple, Google, and major browsers. Setting one up is the highest-impact hour you can spend on security.

Ask Claude to coach you through it:

Act as a security coach. Walk me through setting up Bitwarden as a complete beginner, step by step. Explain how to create a strong master password I can remember, and how to start moving my existing accounts into it safely.

Multi-Factor Authentication (MFA)

Something you know — your password.
Something you have — your phone, an authenticator app, or a security key.
Something you are — your fingerprint or face.

Not all MFA is equal. From strongest to weakest:

Hardware security keys (like a YubiKey) — strongest, phishing-resistant.
Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) — generate rotating codes, no signal needed.
SMS text codes — better than nothing, but vulnerable to "SIM-swap" attacks. Use only if no better option exists.

The priority: turn on MFA for your email first (it is the master key that resets all your other accounts), then banking, then social media. Ask Gemini:

Give me a prioritized, beginner-friendly checklist for turning on multi-factor authentication across my most important accounts. Recommend authenticator apps over SMS where possible, and explain why.

Passkeys: The Passwordless Future

Passkeys are phishing-resistant by design — a major leap forward. If a service offers a passkey, it is usually the most secure option available. To understand them, ask:

Explain passkeys to a complete beginner. How are they different from passwords, why are they considered more secure, and how do I start using them on my phone?

A Quick Hands-On Exercise

Pick your primary email account right now and do two things in the next twenty minutes:

Ask ChatGPT: "Walk me through enabling an authenticator-app-based two-factor authentication on [Gmail / Outlook / your provider], step by step for a beginner."
Actually follow the steps and turn it on.

Your email is the master key to your digital life — securing it is the most important single action in this entire course. Do it before you move on.

Your Homework for This Lesson

Key Takeaways

Password length beats complexity, and uniqueness beats everything — aim for 16+ character unique passwords.
A password manager (like the free Bitwarden) generates and remembers unique passwords so you only memorize one.
MFA adds a second factor so a stolen password alone cannot unlock your account; authenticator apps beat SMS codes.
Secure your email first — it is the master key that can reset all your other accounts.
Passkeys replace passwords with a device-stored key unlocked by biometrics, and are phishing-resistant by design.

Passwords, Passkeys & MFA

What You'll Learn

What Actually Makes a Password Strong

Password Managers: The Single Best Upgrade

Multi-Factor Authentication (MFA)

Passkeys: The Passwordless Future

A Quick Hands-On Exercise

Your Homework for This Lesson

Key Takeaways

Quiz

Passwords, Passkeys & MFA

What You'll Learn

What Actually Makes a Password Strong

Password Managers: The Single Best Upgrade

Multi-Factor Authentication (MFA)

Passkeys: The Passwordless Future

A Quick Hands-On Exercise

Your Homework for This Lesson

Key Takeaways

Quiz