Passwords and Authentication: The Foundation You're Probably Getting Wrong

If you do nothing else from this entire series, do this: install a password manager and enable two-factor authentication on your email account. These two actions, which together take less than an hour, will do more to protect your digital life than every other privacy practice combined. Password security is boring. It is foundational. And it is the single area where the gap between what most people do and what they should do is widest. Snowden made this point plainly — the basics of authentication hygiene block the overwhelming majority of attacks that ordinary people actually face.

Why This Matters for Sovereignty

Your passwords are the locks on your digital infrastructure. If those locks are weak — and for most people, they are — then nothing else you build on top of that infrastructure is secure. You can use an encrypted email provider, run a privacy-respecting browser, and audit every app permission on your phone, but if your email password is “Summer2019” and you use it on twelve other services, a single data breach anywhere in that chain compromises everything.

This is not hypothetical. Data breaches are not rare events that happen to other people. They are continuous. Every major platform has been breached or will be. LinkedIn, Yahoo, Adobe, Equifax, Marriott, Facebook — the list is long and it grows steadily. When a service is breached, the username and password combinations from that breach are compiled into databases that are sold, traded, and fed into automated tools that try those credentials across thousands of other services. This is called credential stuffing, and it works because most people reuse passwords. If your LinkedIn password is the same as your email password, a LinkedIn breach is an email breach. And your email is the skeleton key — password resets for every other service flow through it.

The sovereign response is architectural, not reactive. You do not respond to individual breaches. You build a system that makes credential stuffing structurally impossible, regardless of which service gets breached.

How It Works: Password Managers

A password manager is software that generates, stores, and fills unique, complex passwords for every account you use. You remember one password — your master password — and the manager handles everything else. When you create a new account, the manager generates a random string like k8#mPx2$vL9@nQ4w and stores it. When you log in, the manager fills it automatically. You never see, type, or remember the individual passwords.

Three password managers are worth considering. Bitwarden is open-source, independently audited, and offers a free tier that covers everything most people need. The paid tier is $10 per year and adds features like encrypted file attachments and emergency access. 1Password costs $36 per year, has a polished interface, and is widely used in both personal and business contexts. KeePass is open-source and stores your password database locally — meaning your passwords never touch anyone else’s servers — but requires more technical comfort to set up and lacks the seamless sync that Bitwarden and 1Password offer.

Any of these is fine. The differences between them matter far less than the difference between using one and not using one. If you are paralyzed by the choice, install Bitwarden. It is free, it is open-source, and it works on every platform.

The master password is the one password you need to make strong and memorable. A passphrase — four or five unrelated words strung together, like “correct horse battery staple” from the well-known XKCD comic — is both stronger and easier to remember than a complex short password. Something like “telescope maple thunderstorm cabinet” is effectively uncrackable by brute force while being easy to commit to memory. Do not write it on a sticky note attached to your monitor. Do commit it to memory through repetition over the first week.

The migration process is straightforward but takes time. You do not need to change every password at once. Start with the ten accounts that matter most: your primary email, your bank, your investment accounts, your phone carrier, and any account that stores payment information. Generate unique passwords for those ten accounts through your password manager. That alone eliminates the most dangerous credential-stuffing scenarios. Over the following weeks, update the rest as you encounter them — each time you log into a service, let the password manager generate and save a new unique password.

How It Works: Two-Factor Authentication

Two-factor authentication — commonly written as 2FA — adds a second verification step beyond your password. The principle is simple: something you know (your password) plus something you have (your phone or a hardware key). Even if an attacker obtains your password through a breach, they cannot access your account without the second factor.

There is a hierarchy of 2FA methods, and the differences matter.

Hardware security keys, such as the YubiKey, are the strongest option. They are physical devices that plug into your computer’s USB port or communicate via NFC with your phone. They are phishing-resistant — even if you are tricked into entering your password on a fake login page, the hardware key will not authenticate because it verifies the actual domain. A YubiKey costs $25-55 depending on the model. For high-value accounts like email and financial services, this is a worthwhile investment.

Authenticator apps are the next best option. These are apps on your phone — Authy, Google Authenticator, Aegis (open-source, Android only) — that generate a six-digit code that changes every thirty seconds. When you log in, you enter your password and then the current code from the app. This is significantly stronger than a password alone and sufficient for most people’s threat model. Authy has the advantage of encrypted cloud backup, which means you can recover your 2FA codes if you lose your phone. Aegis stores everything locally, which is more secure but means losing your phone without a backup is catastrophic.

SMS codes — where a text message with a code is sent to your phone number — are the weakest form of 2FA but still far better than nothing. The vulnerability is SIM-swap attacks, where an attacker convinces your phone carrier to transfer your number to a new SIM card, allowing them to intercept your text messages. SIM-swap attacks are real and documented, but they are targeted — they require effort directed at a specific individual. For most people, SMS 2FA blocks the automated attacks that constitute 99% of the threat. If it is the only option a service offers, use it.

Passkeys are an emerging technology that replaces passwords entirely with cryptographic key pairs stored on your device. Major platforms including Apple, Google, and Microsoft support passkeys as of early 2026, and adoption is accelerating. Passkeys are both more secure and more convenient than passwords — you authenticate with your device’s biometric (fingerprint or face) or PIN, and the cryptographic exchange happens in the background. Where passkeys are available, adopt them. They represent the eventual future of authentication, though the transition period will last years and password managers remain essential for the hundreds of services that do not yet support them.

The Proportional Response: The One-Weekend Upgrade

Here is the concrete plan. It takes two to three hours spread across a weekend afternoon.

Hour one: Install and configure your password manager. Download Bitwarden (or your preferred alternative) on your phone and computer. Create your account. Choose a strong master passphrase. Install the browser extension. Spend a few minutes familiarizing yourself with how it generates and fills passwords.

Hour two: Secure your ten most critical accounts. Start with your primary email — this is the single most important account to protect because password resets for everything else flow through it. Log in, change the password to one generated by your password manager, and enable the strongest 2FA option the service supports. Then do the same for your bank, your secondary email, your phone carrier account, and your most-used financial services. Ten accounts, ten unique passwords, ten 2FA enrollments.

Hour three (optional but recommended): Extend the perimeter. Change passwords on your social media accounts, your Amazon account, your cloud storage, and any other service that stores payment information or personal data. Each one takes two to three minutes once you have the rhythm. Enable 2FA wherever it is available.

After this weekend, your authentication posture has gone from dangerously inadequate to genuinely strong. Credential stuffing no longer works against you. Automated account compromise is blocked by 2FA. Your email — the skeleton key — is protected by a unique password and a second factor. The ongoing maintenance is minimal: when you create new accounts, let the password manager generate the password. When a service announces a breach, change that one password. Check haveibeenpwned.com periodically to see if your email appears in known breach databases.

What to Watch For

The authentication landscape is evolving. Passkeys will eventually make traditional passwords obsolete for most accounts, but the transition will be gradual and uneven. Some services will support passkeys early; others will rely on passwords for years. During this transition, a password manager is not optional — it is the bridge technology that keeps you secure while the industry migrates.

SIM-swap attacks are a known vulnerability of SMS-based 2FA. If your phone carrier offers a PIN or passphrase requirement for account changes, enable it. T-Mobile, AT&T, and Verizon all offer some form of account security PIN. This does not eliminate SIM-swap risk entirely, but it adds friction that deters most attackers.

Password managers themselves are targets. Bitwarden and 1Password both use zero-knowledge encryption, meaning they cannot read your passwords even if their servers are compromised. LastPass, a formerly popular option, suffered a significant breach in 2022 in which encrypted password vaults were stolen — and subsequent reporting revealed that some of those vaults have been cracked, likely because users chose weak master passwords. This underscores two points: choose a password manager with a strong security track record, and choose a strong master passphrase.

The fundamental reality is this: authentication is the foundation. Every other privacy practice in this series assumes that your accounts are not trivially compromisable. If your passwords are weak and reused, and you have no second factor, then your encrypted email, your private browser, and your careful app permissions are all built on sand. Fix the foundation first. Everything else comes second.

This article is part of the Data & Privacy series at SovereignCML.

Related reading: The Privacy Landscape: What’s Real, What’s Theater, Your Threat Model: Who Are You Actually Defending Against?, Your Phone: The Most Intimate Surveillance Device You Own