Two security measures account for 98% of online account security:
- Password Manager — unique, long passwords for each account
- 2FA (Two-Factor Authentication) — second verification step
Together: even with your password, a scammer cannot access your account. This guide explains how to set up both layers.
Part 1: Password Manager
Why It's Needed
- Most people use 1-3 passwords for all accounts — one breach = everything compromised
- Memorized passwords are typically weak (name + year, "password123")
- Password managers remember thousands of unique passwords for you
- Most have a password generator — creates random 16-32 character passwords
Recommended Password Managers (2026)
Bitwarden (RECOMMENDED)
- Free — full functionality (most competitors lack 2FA / cross-device in free version)
- Open source — audited code
- Apps: Windows, Mac, Linux, iOS, Android, browser extensions
- End-to-end encryption — even Bitwarden does not know your passwords
- Premium: $10/year — adds hardware key support, recovery
- Family: $40/year for 6 people
1Password
- Paid ($36/year individual, $60 family)
- Best UX
- Strong sharing for families
- Travel Mode — removes sensitive passwords before travel
Apple Passwords / iCloud Keychain
- Free for Apple users
- Works perfectly with Safari + iOS
- Weaker cross-platform (if you use Windows)
Google Password Manager
- Free for Chrome users
- Okay for basic needs
- Less secure than dedicated options (Google has access)
NOT RECOMMENDED (2026)
- LastPass — several serious breaches in 2022-2023. Lost trust.
- Passwords saved in the browser without Chrome / Safari sync — easy to steal
How to Set Up Bitwarden (5 Minutes)
- Go to bitwarden.com
- Create an account — strong master password (crucial! if you forget, you lose everything)
- Install the browser extension (Chrome / Firefox / Safari / Edge)
- Install the mobile app
- Enable 2FA on Bitwarden (crucial — if someone gets your master password, 2FA protects)
- Start importing passwords from the browser / old manager (Bitwarden has import wizards)
- Gradually replace weak passwords with newly generated ones
Master Password — The Most Important
This is the only password you need to remember. Requirements:
- Minimum 20 characters
- Easy to remember (passphrase, not random)
- Example: "MotorcykleKochamWdrodzeOd2003"
- Or: 4-5 random words: "tygrys-stół-ogórek-kometa-66"
- DO NOT use anywhere else
- Write it down on paper in a safe (analog backup)
Part 2: 2FA (Two-Factor Authentication)
What It Is
Two steps for logging in:
- Password (something you know)
- Second step (something you have — phone, key, biometrics)
Even if a scammer has your password, they cannot log in without the second step.
Types of 2FA — From Worst to Best
❌ SMS 2FA (Worst)
- Requires: phone number, SMS
- Weakness: SIM swap attack — a scammer takes over your number with T-Mobile/Verizon/AT&T
- Better than nothing, but avoid if possible
⚠️ Email 2FA (Average)
- Requires: email
- Weakness: if email is compromised → everything is compromised
✅ Authenticator App (GOOD)
- Apps: Google Authenticator, Authy, Microsoft Authenticator, Bitwarden Authenticator
- Generates 6-digit codes that refresh every 30 seconds
- Works offline (once configured)
- Cannot be intercepted like SMS
✅✅ Hardware Key (BEST)
- Physical USB / NFC key: YubiKey, Google Titan
- Insert/touch for authorization
- Practically impossible to intercept remotely
- Recommended for: bank accounts, cryptocurrencies, government accounts
- Price: $20-50 (YubiKey 5C ~$50)
- Buy 2 — one for use, one as a backup
✅✅ Passkeys (Latest Technology, 2024+)
- No password — login via Face ID / Touch ID / Windows Hello
- Password stored in the secure chip of your phone
- Syncs via iCloud / Google
- Safer than password + 2FA combined
- Growing support: Apple, Google, Microsoft, Amazon, eBay, PayPal
What to Enable 2FA On — Priorities
LEVEL 1 — Critical (Immediately)
- Main Email — Gmail, Outlook, iCloud. If someone has your email = "forgot password" everything.
- Bank Account — Chase, Wells Fargo, BoA, PSFCU
- Password Manager — the most important!
- Apple ID / Google Account — controls the rest
LEVEL 2 — Important (This Week)
- Social Media: Facebook, Instagram, TikTok, LinkedIn
- Cloud Storage: iCloud, Google Drive, Dropbox, OneDrive
- Streaming: Netflix, Disney+, Spotify (a scammer can sell)
- Shopping: Amazon, eBay, Etsy
- USCIS Account — my.uscis.gov
- IRS Account — id.me
- Polish Accounts — gov.pl, ePuap, Polish banking
LEVEL 3 — Useful (When You Find Time)
- Any other platform you use
- Forum / gaming / hobby accounts
Recovery Codes — CRUCIAL
When you enable 2FA, most services give you recovery codes — 8-10 one-time codes in case you lose your phone.
- WRITE them down in a safe place (password manager — in notes section)
- Or print + safe
- Without these codes — losing your phone = losing your account PERMANENTLY
How to Enable 2FA — Examples
Gmail / Google
- Go to myaccount.google.com/security
- "2-Step Verification" → Start
- Add phone number (as backup)
- Select "Authenticator app" → configure (Google Authenticator or Authy)
- Add hardware key (if you have a YubiKey)
- Save recovery codes
- Menu → Settings → Security and Login → Two-Factor Authentication
- Select "Authentication App"
- Scan QR code to Authenticator
- Save recovery codes
Bank — PSFCU Example
- Login to online banking
- Settings → Security → Multi-Factor Authentication
- Select "Authenticator App" (if available) or "Text Message"
- Configure
Apple ID
- iPhone → Settings → [Your Name] → Sign-In & Security
- Two-Factor Authentication → Turn On
- Apple automatically uses your trusted devices
- You can add Hardware Key 2 (from iOS 16.3)
SIM Swap Attack — The Most Dangerous Attack on 2FA
A scammer convinces T-Mobile/Verizon/AT&T to transfer your number to their SIM card. They then receive all your SMS 2FA codes.
How to Defend Against It
- Set a "Port Out PIN" with your carrier — required for number transfer
- T-Mobile: 1-800-937-8997, give them a 6-digit PIN
- Verizon: set "Account PIN" in My Verizon
- AT&T: set "Account passcode"
- Avoid SMS 2FA for critical accounts — use Authenticator
- Hardware key for the most critical
Phishing-resistant 2FA
Only 2 types of 2FA are phishing-resistant:
- Hardware keys (YubiKey)
- Passkeys
Others (SMS, Authenticator) can be tricked if you fall for sophisticated phishing (the scammer asks for the 2FA code). Hardware key + passkey verify the domain — cannot be fooled.
Common Mistakes
- No 2FA on email — email controls all reset links
- SMS-only 2FA on bank — SIM swap = loss of money
- Unwritten recovery codes — losing your phone = losing your account
- The same 6-digit Authenticator codes in multiple apps (usually okay, but if you use, e.g., Microsoft Authenticator and sync to the cloud, check encryption)
- Authenticator without backup — losing your phone = all 2FA lost. Authy has cloud backup (with a password). Google Authenticator (since 2023) also has sync.
- Weak master password for password manager — a chain is only as strong as its weakest link
Security Checklist 2026
- ☐ Master password for password manager (20+ characters)
- ☐ 2FA on password manager
- ☐ Unique passwords for each account
- ☐ 2FA (preferably Authenticator) on: email, bank, Apple/Google, USCIS, IRS
- ☐ Recovery codes saved securely
- ☐ SIM Port Out PIN with carrier
- ☐ Hardware key on critical accounts (optional)
- ☐ Credit freeze (separate matter — see [[identity-theft-i-freeze-credit-jak-sie-zabezpieczyc]])
- ☐ IRS IP PIN
- ☐ USPS Informed Delivery
Official Links
- Bitwarden | 1Password
- YubiKey | Google Titan
- CISA — Secure Our World
- FTC — 2FA Guide
- FIDO Alliance — Passkeys
Related: [[phishing-2026-fake-irs-uscis-bank-jak-rozpoznac]] · [[identity-theft-i-freeze-credit-jak-sie-zabezpieczyc]] · [[ai-voice-scam-wnuczek-w-trudzie-jak-rozpoznac]]
Comments (0)
No comments yet. Be the first!