Guides/Passwords-and-Account-Security/Guide.md

# Passwords and Account Security

---

### 1. Goal

This guide covers practical account security: password managers, two-factor authentication, recovery codes, and safer login habits.

The goal is simple: one leaked password should not unlock your whole life.

---

### 2. Use a Password Manager

Use a dedicated password manager instead of reusing passwords or storing everything in notes.

Good password rules:

* every important account gets a unique password;
* passwords should be long and randomly generated;
* do not reuse email passwords anywhere;
* do not share password manager vault access casually;
* export an emergency backup only if you can store it safely.

If you can remember every password, they are probably too weak or reused.

---

### 3. Recommended Apps

Pick one password manager and actually use it everywhere.

* **Bitwarden:** best default recommendation for most people. It is open source, cross-platform, and easy to use on desktop, mobile, and browser extensions.
* **KeePassXC:** best fit for people who want an offline encrypted vault file and do not want cloud sync by default.
* **Aegis Authenticator:** good Android authenticator app for time-based one-time passwords.
* **2FAS:** good cross-platform authenticator option with mobile apps and browser helper support.
* **YubiKey or similar security key:** strongest option for accounts that support hardware keys.

Official links:

* Bitwarden: `https://bitwarden.com`
* KeePassXC: `https://keepassxc.org`
* Aegis: `https://getaegis.app`
* 2FAS: `https://2fas.com`
* Yubico: `https://www.yubico.com`

---

### 4. Turn on Two-Factor Authentication

Enable two-factor authentication for:

* email;
* banking;
* domain registrar;
* cloud storage;
* social accounts;
* password manager;
* server dashboards;
* developer accounts.

Prefer authenticator apps or hardware security keys over SMS when possible.

SMS is better than no second factor, but it is not the strongest option.

---

### 5. Account Priority

Secure accounts in this order:

1. Primary email.
2. Password manager.
3. Phone carrier account.
4. Banking and payment accounts.
5. Domain registrar and hosting accounts.
6. Cloud storage.
7. Social accounts.
8. Shopping accounts.

The order matters because email, phone numbers, domains, and cloud storage often control password resets for everything else.

---

### 6. Save Recovery Codes

When a service gives recovery codes:

1. Save them immediately.
2. Store them somewhere separate from your phone.
3. Label which account they belong to.
4. Do not post them in chats or screenshots.
5. Replace them if you think they were exposed.

Recovery codes are effectively backup passwords.

---

### 7. Secure Your Email First

Your email account resets other accounts, so it needs extra care.

Checklist:

* unique strong password;
* two-factor authentication;
* recovery email and phone reviewed;
* old app passwords removed;
* forwarding rules checked;
* logged-in devices reviewed;
* recovery codes saved.

If email is compromised, most other accounts can be taken over through password resets.

---

### 8. Watch for Phishing

Before logging in:

* check the domain;
* avoid sponsored search results for important accounts;
* use bookmarks for admin panels and banking;
* do not trust urgency by itself;
* do not enter codes into links sent by strangers;
* verify unexpected login emails from inside the account, not from the email link.

Phishing works by rushing you. Slow down on login pages.

---

### 9. Account Review Routine

Every few months:

1. Review password manager weak/reused passwords.
2. Rotate passwords for critical accounts if needed.
3. Remove old devices and sessions.
4. Remove unused connected apps.
5. Confirm recovery email and phone are current.
6. Confirm recovery codes are stored safely.

Security is easier when cleanup is routine instead of emergency.