Password Security

Explore & Discover

Billions of passwords have been stolen from websites you probably use. Go to haveibeenpwned.com right now and type in your email address — it tells you if your accounts have been part of a real data breach. No login required, it's completely safe. Read through a few of the breach descriptions and notice what information got exposed. Then check out the Cybersecurity and Infrastructure Security Agency (CISA) page at cisa.gov/secure-our-world to see what the US government says about protecting accounts. You're ready for the next step when you can explain what a data breach is and name at least one website that has had a breach.

Learn the Basics

Most passwords people use are shockingly easy to crack. Visit howsecureismypassword.net and test a few passwords — try "password123", your pet's name, your school's name. See how fast a computer could crack them. Then learn the difference between a weak and a strong password: length matters more than complexity, and random word combinations like "purple-tractor-Utah-7" are both memorable and strong. Read the National Institute of Standards and Technology (NIST) password guidelines summary at pages.nist.gov — they changed the rules and most people don't know it. You're ready for the next step when you can explain why "Tr0ub4dor&3" is actually weaker than "correct-horse-battery-staple".

Build Your First Project

Now build your own password security system. Set up a free password manager — Bitwarden (bitwarden.com) is open source, free forever, and trusted by security professionals worldwide. Create an account, install the browser extension, and import or manually add five of your real accounts. Generate a unique, random password for each one using Bitwarden's built-in generator. Turn on two-factor authentication (2FA) for at least two accounts — Gmail and your school login are good places to start. The Bitwarden help docs at bitwarden.com/help walk you through every step. You're ready for the next step when you have five accounts stored in Bitwarden with unique generated passwords.

Experiment & Iterate

Dig deeper by auditing all your accounts and fixing the weak spots. Open Bitwarden and run the "Vault Health Reports" — it will flag reused passwords, weak passwords, and accounts found in breaches. Fix every flagged account by generating a new unique password. Then research different types of 2FA: SMS text codes, authenticator apps (like Aegis on Android or Raivo on iPhone), and physical security keys. Authenticator apps are much safer than SMS — set one up for your most important account. The Electronic Frontier Foundation at ssd.eff.org has a free security guide written for regular people. You're ready for the next step when your Vault Health Report shows zero reused or weak passwords.

Advanced Techniques

Get into advanced account protection strategies. Research passkeys — the new technology that replaces passwords entirely using your fingerprint or face. Google, Apple, and many Utah-based companies are already switching to them. Set up passkeys on any accounts that support it (github.com is a great one to try). Then learn about account recovery: what happens if you lose your 2FA device? Set up backup codes and store them safely. Read the security blog at blog.1password.com for real-world stories about how accounts get compromised. You're ready for the next step when you have at least one passkey set up and backup codes stored for your most important accounts.

Final Project Showcase

Teach what you know — that's the ultimate proof you really understand something. Create a one-page "Password Security Guide for Our Family" or a short presentation for your class. Include: why weak passwords are dangerous (use real breach stats from haveibeenpwned.com), how to create strong passwords, why a password manager beats memorizing, and how to set up 2FA. Walk at least one real person — a parent, sibling, or friend in the Salt Lake area — through setting up Bitwarden and turning on 2FA for their most important account. You're ready for the next step when someone you know has personally improved their password security because of you.