← Home security index

Identity

Passwords, passkeys and MFA: stop making memory do impossible work

The household does not need clever passwords. It needs unique passwords, passkeys where supported, MFA, and a recovery path that survives a dead phone.

Nigel version

Password manager first. Passkeys and security keys for the accounts that matter. Recovery sorted before the bad day.

YubiKey 5C NFC security key
Wikimedia Commons: YubiKey 5C NFC
Password manager concept
Wikimedia Commons: password manager
FIDO2 USB token
Wikimedia Commons: FIDO2 USB token

Account-takeover path

Break the chain before email becomes the master key

Most household account disasters do not start with movie-hacker nonsense. They start with one reused password, then email, then everything email can reset. Unique passwords, passkeys, MFA and recovery codes put gates in that path.

breached shopemailbank / telcocloud photossocialbackup codes1 takeover gate still weak

Login chain

A stolen or phished credential can still move toward email, cloud or money accounts.

Bad-day recovery

The phone is still the single way back in. That is fine until the phone is gone.

Explain the jargon

Small terms, big consequences

Tap a term for the plain-English version and the practical move. No fake mystique, just the bit that changes what you do at home.

?Passkey

A phishing-resistant login tied to your device, password manager or hardware key. A fake login page cannot reuse it like a stolen password.

Do this: Turn passkeys on first for email, Apple/Google/Microsoft, banking and password-manager accounts where supported.

?Security key

A small FIDO2/U2F hardware key, such as a YubiKey, that proves you are present during login.

Do this: Buy two for high-value accounts: one daily key and one backup stored safely.

?SMS MFA

A code sent by text message. Better than no MFA, but weaker than passkeys, security keys or authenticator apps because phone numbers can be socially engineered or ported.

Do this: Use SMS if it is the only option. Replace it for accounts that support stronger factors.

Do this

  • Prioritise email, Apple/Google/Microsoft, banking, telco, cloud storage and social accounts.
  • Put every important account into a reputable password manager with unique generated passwords.
  • Enable passkeys where supported and MFA everywhere important.
  • Use hardware security keys for high-value or admin accounts; enrol at least two.
  • Store backup codes and recovery instructions safely.

Check

  • Is email protected by MFA/passkey?
  • Are passwords unique?
  • Can recovery work without the main phone?
  • Are backup codes reachable?
  • Is SMS the only factor anywhere high value?

Avoid

  • Season+year+exclamation reuse.
  • Screenshots/notes/chat threads as a password system.
  • One phone as the only key back in.

Full guidance

More than a slide title

This page turns account security into an adoption sequence a family can actually finish.

Family adoption

The best vault is the one people use. Family sharing in 1Password, Bitwarden, Keeper or ecosystem vaults beats texting passwords around.

SMS caveat

SMS MFA is weaker than passkeys, security keys and authenticator apps, but it is still usually better than no MFA. Use it when it is the only option; replace it where you can.

Recovery before disaster

Set recovery contacts, print/store backup codes and record the password-manager recovery process while everyone is calm.

Scenario

Breached shop password

A reused shop password also works on webmail.

Better response

  • Change email first from a clean device
  • Revoke sessions
  • Replace reused passwords by priority

Worse habit

Changing only the breached shop and leaving email exposed.

More pages

Routers & Wi‑FiPasswords & MFAUpdates & AppsVPNs & ProxiesFamily RulesSmart HomeWork BoundaryAI AgentsRecoveryHome DevOnline SafetyProducts