Identity
The household does not need clever passwords. It needs unique passwords, passkeys where supported, MFA, and a recovery path that survives a dead phone.
Short version
Password manager first. Passkeys and security keys for the accounts that matter. Recovery sorted before the bad day.
If you only do one thing, start here
Start with the two master keys: protect email and the password manager with strong MFA/passkeys, then write down how to recover both if the main phone is gone.
Done when
You can answer this without guessing: Could you recover email and the password manager if the main phone was lost tonight?
If you have five more minutes
Account-takeover path
Most household account disasters do not start with movie-hacker nonsense. They start with one reused password, then email, then everything email can reset. Unique passwords, passkeys, MFA and recovery codes put gates in that path.
The shop breach does not unlock email.
MFA adds a gate before email becomes the master key.
Weak login gates can still spill into money, telco or photos.
The phone is still the only way back in if things go sideways.
A stolen or phished credential can still move toward email, cloud or money accounts.
The phone is still the single way back in. That is fine until the phone is gone.
Teaching model, not a scan: these toggles do not inspect your home. Treat amber or red results as prompts for a real check on the device, account, router or family process they describe.
Explain the jargon
Tap a term for the plain-English version and the practical move. No fake mystique, just the bit that changes what you do at home.
A phishing-resistant login tied to your device, password manager or hardware key. A fake login page cannot reuse it like a stolen password.
Do this: Turn passkeys on first for email, Apple/Google/Microsoft, banking and password-manager accounts where supported, with recovery planned: backup key, recovery contact, backup code or another trusted device.
A small FIDO2/U2F hardware key, such as a YubiKey, that proves you are present during login.
Do this: Buy two for high-value accounts: one daily key and one backup stored safely.
A code sent by text message. Better than no MFA, but weaker than passkeys, security keys or authenticator apps because phone numbers can be socially engineered or ported.
Do this: Use SMS if it is the only option. Replace it for accounts that support stronger factors. While SMS remains in use, harden the mobile account too: account PIN/password, port-out or SIM-swap lock where offered, and extra ID checks for store or support changes.
Self-check questions
Use these quick checks to find the next practical fix. The useful answer is not perfect security; it is whether the safer path is obvious when someone is tired, embarrassed or in a hurry.
If someone got into your main email tonight, which accounts could they reset before breakfast?
Good sign: Email has unique password, passkey or strong MFA, recovery codes, no mystery forwarding rules, and recovery details that do not depend on one phone.
Watch for: If email is protected worse than shopping accounts, the reset chain is upside down.
Could you recover email, the password manager and banking if the main phone fell in the ocean?
Good sign: Backup codes, a second security key, trusted recovery contact or documented recovery route exists before the phone is gone.
Watch for: A phone-only setup feels simple until the phone is the thing missing, stolen or ported.
Which passwords still live in chats, notes, screenshots or someone's memory because they are 'only' for family accounts?
Good sign: Shared accounts move into a family vault with unique passwords and a named recovery owner; personal email, banking, school, healthcare, work and identity accounts are not shared.
Watch for: Low-value password habits migrate. The same screenshot-and-reuse pattern eventually reaches email, telco or money.
Scenario
A reused shop password also works on webmail.
Better response
Worse habit
Changing only the breached shop and leaving email exposed.
The main phone is lost and every account wants a code sent to that phone.
Better response
Worse habit
Trying random reset flows until accounts lock or recovery alerts train everyone to click through.
Why this advice holds
Account security gets easier when the family follows a practical sequence and knows how to recover.
The best vault is the one people use. Family sharing in 1Password, Bitwarden, Keeper or ecosystem vaults beats texting passwords around. Ecosystem vaults are fine when everyone uses that ecosystem and recovery/export are understood; mixed households may need a dedicated family password manager.
Do email first, then Apple/Google/Microsoft, password manager, banking, telco, cloud storage, government/tax, health, school, social media and shopping. Email and phone numbers sit behind the reset buttons for everything else, so they do not belong at the bottom of the list.
SMS MFA is weaker than passkeys, security keys and authenticator apps, but it is still usually better than no MFA. Use it when it is the only option; replace it where you can. If SMS is unavoidable, protect the mobile account with an account PIN/password, port-out or SIM-swap lock where offered, safe recovery details and extra ID checks for store or support changes.
Set recovery contacts, print/store backup codes and record the password-manager recovery process while everyone is calm. Passkeys are excellent when recovery is planned; do not make one phone the only passkey, MFA device and recovery path. A lost phone should be annoying, not the start of losing email, bank access and cloud photos in one ugly chain.