Error 404 Learning Guide

Passwords & 2FA

A practical guide for protecting online accounts with strong passwords, a password manager, and two-factor authentication.

Passwords are like keys. If the same key opens every door, one stolen key becomes a big problem.

The goal is simple:

  • One account = one strong password
  • Important accounts = password + 2FA
  • Recovery codes = saved safely

Why passwords matter

Most people do not get hacked because someone β€œbreaks into” their computer like in a movie.

Often the problem is simpler:

  • A website leaks passwords.
  • The same password was reused somewhere else.
  • An attacker tries that password on email, banking, social media, or cloud accounts.
  • One reused password opens many doors.

This is called credential stuffing.

That is why password reuse is dangerous.

Password manager

A password manager stores your passwords safely so you do not have to remember all of them.

You only remember one strong master password.

Use a password manager for:

  • Websites
  • Apps
  • Email accounts
  • Server accounts
  • Admin panels
  • Recovery notes
  • 2FA recovery codes, if you choose to store them there

Master password

The master password protects everything inside the password manager.

It should be:

  • long
  • unique
  • not reused anywhere else
  • hard to guess
  • easy enough for you to remember

A good style is a passphrase.

Example idea:

  • four or more random words

Do not use:

  • your name
  • your birthday
  • your pet name
  • your street
  • your username
  • password123
  • small variations of old passwords

Good password habits

Use the password manager to generate random passwords.

Good:

  • one strong random password per account

Bad:

  • same password everywhere
  • same password with small changes
  • service name + year
  • old password reused again

Example of bad pattern:

  • Netflix2024!
  • Netflix2025!
  • Google2025!

This looks different, but the pattern is easy to guess.

Account priority

Start with the accounts that can unlock other accounts.

Highest priority:

  • main email
  • password manager
  • banking
  • phone account
  • cloud storage
  • domain registrar
  • server admin accounts
  • social media admin accounts

If the main email is compromised, many other accounts can be reset.

If the password manager is compromised, many passwords are exposed.

Two-factor authentication

Two-factor authentication means login needs more than just a password.

Example:

  • password + app code
  • password + security key
  • password + confirmation on another device

This helps because a stolen password alone is not enough.

Types of 2FA

Common types:

  • Authenticator app
  • Security key
  • Passkey
  • Email code
  • SMS code
  • Backup codes

Better options:

  • security key
  • passkey
  • authenticator app

Weaker options:

  • SMS codes
  • email codes

SMS is better than nothing, but it is not the strongest option.

Authenticator apps

An authenticator app creates temporary codes.

Example:

  • 123456

The code changes every short period of time.

Use it for:

  • Email
  • Password manager
  • Banking if supported
  • Cloud accounts
  • Social media
  • Admin accounts

Recovery codes

When enabling 2FA, many services give recovery codes.

These are emergency keys.

Save them safely.

Use recovery codes when:

  • phone is lost
  • authenticator app is gone
  • security key is unavailable
  • 2FA device is broken

Do not store recovery codes only on the same phone that has the authenticator app.

Passkeys

A passkey is a newer login method.

It can replace or improve passwords.

Passkeys are often safer because they are harder to phish.

Useful for:

  • Google
  • Apple
  • Microsoft
  • GitHub
  • password manager accounts
  • important services

Still keep recovery options updated.

Password manager cleanup

Checklist:

  • Remove duplicate entries
  • Remove old unused accounts
  • Update weak passwords
  • Replace reused passwords
  • Add missing usernames
  • Add correct login URLs
  • Add notes only when useful
  • Check important accounts first
  • Enable 2FA where possible
  • Save recovery codes safely

Warning signs

Check immediately if:

  • you receive password reset emails you did not request
  • you see unknown login alerts
  • your email forwarding rules changed
  • your account recovery phone/email changed
  • you are logged out unexpectedly
  • friends receive strange messages from you
  • your password manager shows reused passwords

Simple rule

Use this rule:

  • Every account gets its own password.
  • Every important account gets 2FA.
  • Every recovery code is saved safely.

Personal checklist

  • Password manager installed
  • Master password is strong
  • Main email password is unique
  • Password manager has 2FA
  • Main email has 2FA
  • Important accounts have 2FA
  • Recovery codes are saved
  • Reused passwords are removed
  • Weak passwords are replaced
  • Old accounts are deleted or secured