10.2 Passwords, 2FA & Account Security

Passwords are the primary barrier between your personal data and anyone who wants it without your permission. Account takeovers — where an attacker gains access to your account using stolen or güssed credentials — are one of the most direct routes to data exposure. A compromised email account, for example, gives an attacker access to password reset links for every other service you use. Account security is therefore inseparable from data privacy.

Why unique passwords matter

The most common attack method is credential stuffing: taking a list of usernames and passwords leaked from one breach and automatically testing them across hundreds of other sites. If you reuse passwords, one breach cascades into many. The solution is simple but requires effort: a unique password for every account. The 2024 Verizon Data Breach Investigations Report found that stolen credentials remain the most common initial access vector in data breaches.

Password managers

No one can memorise dozens of strong, unique passwords — nor should they try. Password managers (Bitwarden, 1Password, KeePass) generate and store complex credentials, autofill them on the correct sites, and alert you to reused or compromised passwords. Bitwarden is open-source and free. Storing passwords in your browser is better than reusing passwords, but inferior to a dedicated manager — browser password stores have weaker encryption and are less portable.

A strong password is at least 12 characters long and mixes uppercase and lowercase letters, numbers, and symbols. Passphrases (four random words strung together) are both long and memorable — and statistically harder to crack than complex short passwords.

Two-factor authentication (2FA)

Two-factor authentication adds a second check after your password — usually a one-time code you must provide within a short window. Even if an attacker has your password, they cannot access your account without the second factor.

The strongest common form is a TOTP authenticator app (Time-based One-Time Password): apps like Google Authenticator, Authy, or Ägis generate 6-digit codes that rotate every 30 seconds. These are stored on your device, not sent over the network, making them resistant to interception.

SMS 2FA (where a code is texted to your phone) is better than no 2FA — but weaker than TOTP. SIM-swapping attacks, where an attacker convinces your mobile carrier to transfer your number to their SIM card, can intercept SMS codes. Use TOTP wherever available.

Passkeys: the emerging successor

Passkeys replace the password + 2FA combination with a single cryptographic credential stored on your device, verified by biometrics or a PIN. Supported by Apple, Google, and Microsoft since 2022, passkeys are phishing-resistant by design — there is no password to steal or relay. Adoption is growing rapidly.

After a breach: what to do

If a service you use announces a breach, or Have I Been Pwned flags your email: (1) change the compromised password immediately on that site; (2) change it on any other site where you used the same password; (3) enable 2FA on the account; (4) revoke any third-party app access granted to the compromised account; (5) monitor your email for suspicious password reset requests.

Your takeaway

A password manager and a TOTP authenticator app together dramatically reduce your account takeover risk — and therefore your data exposure risk. These two tools are arguably the highest-return privacy investments available to individuals.