Skip to content
Step 1 /
flag Introduction

Securing accounts

Most break-ins to an account do not start with a hacked system, but with a stolen or guessed password. In this module you will learn how to protect your accounts in three layers: a strong and unique password, two-factor authentication, and, where possible, a passkey.

target What you will learn in this module
  • check_circle Why a strong, unique password is the foundation, and how a password manager makes that easy
  • check_circle How two-factor authentication (2FA) protects your accounts even if your password leaks
  • check_circle What passkeys are and why they are even more secure than a password with 2FA
key The basics

Strong, unique, and not memorable by you

A good password meets three simple rules:

  • Long: at least 12 to 14 characters. Length beats complexity. A passphrase of four random words, such as table-dog-coffee-blue, is stronger than a short password.
  • Unique per account: never use the same password on more than one site or service.
  • Not guessable: avoid your name, year of birth, your dog’s name, or your company name.
warning Why reuse is so dangerous

If one website is hacked and you used the same password there as on your email or your bank, those are open too. Attackers automatically try leaked email-and-password combinations on hundreds of other services. That is called credential stuffing.

lock_person Password manager

A password manager does the work for you

No one can remember dozens of strong, unique passwords by heart. That is what a Password manager A program or app that stores all your passwords securely encrypted and fills them in automatically on websites and apps. You only need to remember one strong master password. On most devices there is already a built-in Passwords app (from Apple, Microsoft, and Google). Alongside there are dedicated apps like Bitwarden, 1Password, and Dashlane. is for.

  • It generates strong passwords and remembers them for you.
  • It fills them in automatically, on your phone too.
  • You only remember the master password, and you protect that extra.
  • It warns you if a password has leaked or is reused.
check_circle You probably already have one

On most devices a built-in Passwords app is ready to go: Apple has the Passwords app, Microsoft offers it via Edge and the Authenticator app, Google via Chrome. No install, no extra account: you can have strong, unique passwords generated and stored today without remembering a single one. That also solves reuse straight away, because you never need to use a password twice. If you want more, you can always switch to a dedicated tool like Bitwarden or 1Password.

menu_book Read more in the knowledge base menu_bookPasswords, best practice

A password manager is, for most people, the biggest difference between secure and insecure accounts. Read in the knowledge base how to choose one and use it well.

verified_user Two-factor authentication

2FA: one extra step, a world of difference

Two-factor authentication (2FA) adds a second step alongside your password: usually a code in an app, a fingerprint, or a physical key. Even if someone knows your password, they cannot get in without that second step.

settings 2FA is a feature of the service, not of you

2FA only works if the service or software you use offers it. You cannot install it yourself if a supplier does not support it. So make it a standard criterion when choosing software, especially for applications with customer or staff data: does it support 2FA? If not, look elsewhere.

Not every form of 2FA is equally strong:

  • SMS code: by far the most common form and a big step up from a password alone.
  • Authenticator app (like Google Authenticator, Microsoft Authenticator, or the app from your password manager): a step stronger again, and handy when your device briefly has no signal.
  • Passkey: the strongest. A cryptographic key on your device, not phishable, and used in one tap. More about this on the next slide.
bolt Turn it on everywhere you can

Start with your most important accounts: your email (because email lets anyone reset your other passwords), your bank, your work systems, your social media. Ten minutes of work per account, and the difference in protection is large.

fingerprint Passkeys

Passkeys: the best, and increasingly available

A Passkey A cryptographic login credential that is stored on your device and unlocked with your fingerprint, face, or device PIN. There is no longer a password you can type or hand over. The passkey is also tied to the real domain of the service, which means phishing does not work. is a passwordless login: instead of a password, your device stores a cryptographic key, which you unlock with your fingerprint, face, or PIN.

  • Nothing to remember or type: your phone or laptop proves it is you.
  • Phishing does not work: the passkey is tied to the real domain. A fake website looks the same but gets no access.
  • Quick sign-in, often in one tap.

More and more major services support passkeys: Google, Microsoft, Apple, banks, email and office suites. If the service offers you a passkey, accept it.

lightbulb Password or passkey?

A passkey replaces your password on that service, or sits alongside it. As long as there is still a password, you keep it strong and unique, and add 2FA. The combination of passkey plus a strong fallback is the most secure approach today.

psychology What do you do?

The ladder of account security

Suppose four colleagues protect their work email each in a different way. Which one is best secured?

shield
Four colleagues sign in to their work email every morning. Each does it in a different way.

Which account is best secured?

key_vertical Strong enough?

Which password is strong enough?

key
You have to choose a new password for an important service. Which one is the strongest?

Pick the strongest password.

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
Why is reusing passwords so dangerous?
Correct: this is called credential stuffing. One leaked combination of email and password is automatically tested on hundreds of other services. A unique password per account, managed by a password manager, breaks that chain.
quiz Practice · question 2 of 2
What is true about two-factor authentication (2FA)?
Correct: 2FA adds a second step alongside your password, for example a code in an authenticator app or a physical key. An attacker with only your password cannot get in. An authenticator app is stronger than an SMS code.
summarize Summary

What you take away from module 2

  • bolt A strong password is above all a long password: length beats complexity. A passphrase of four random words is excellent.
  • bolt Every password unique per account. Reuse is the biggest mistake, because one leak opens all your other accounts.
  • bolt A password manager remembers, generates, and fills in your passwords. You only remember the master password.
  • bolt 2FA is the biggest jump in protection. Turn it on for your email, bank, work, and social media. An authenticator app is stronger than SMS.
  • bolt A passkey is the best option: nothing to remember or type, and phishing does not work. Accept one wherever it is offered.
workspace_premium Module complete

Module 2 complete 🎉

Your accounts are sturdier. In module 3 we zoom out to the access and the systems around those accounts: only what is needed, and everything up to date.

lock_open 2 of 6 modules

On your way to your “Security awareness” certificate

Complete all 6 modules and pass the final exam (at least 70%) to receive a personal certificate of attendance in your name.

check_circle Modules 1-2 completeradio_button_unchecked Modules 3-5radio_button_unchecked Final exam ≥ 70%
workspace_premium