Security and Privacy Basics — Lesson 2
Passwords, MFA, and Account Protection
Learning Objectives
- 1Explain why password managers are the single most impactful security tool.
- 2Prioritize which accounts need MFA and what type to use.
- 3Establish practical credential policies for teams.
Why password managers matter
A password manager generates, stores, and fills unique, strong passwords for every account. Without one, people reuse passwords across sites. When any one of those sites suffers a breach, attackers try those credentials on other services. This is called credential stuffing, and it is one of the most common attack methods.
The business case for password managers is straightforward: they eliminate reused passwords, they eliminate weak passwords, they make credential sharing between team members safer, and they provide an audit trail of who has access to what. The cost of a team password manager is typically $3-8 per user per month.
Common password managers include 1Password, Bitwarden, Dashlane, and LastPass. Choose one that supports team sharing with access controls, provides an admin dashboard for managing users, and allows easy revocation when someone leaves the team.
Multi-factor authentication (MFA)
MFA adds a second verification step beyond the password. Even if someone steals a password, they cannot access the account without the second factor. MFA reduces account compromise dramatically — by some estimates, over 99% of automated attacks.
Not all MFA is equal. SMS codes sent to a phone number are better than nothing but vulnerable to SIM swapping attacks. Authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator generate time-based codes that are more secure. Hardware keys like YubiKey provide the strongest protection and are recommended for high-value accounts.
Prioritize MFA for accounts that would cause the most damage if compromised: email (it controls password resets for everything else), banking, domain registrar, hosting, admin panels, CRM with customer data, and any account with payment information.
Team credential policies
Credential policies do not need to be complex to be effective. Key practices: every team member uses the organization password manager, every critical account has MFA, shared accounts use the password manager sharing features rather than emailing credentials, and there is a documented process for revoking access when someone leaves.
When an employee or contractor leaves, their access should be revoked on the same day. This includes email, CRM, hosting, admin panels, social media accounts, analytics, shared drives, and any SaaS tools. A departure checklist that lists every system the person had access to prevents the common problem of forgotten accounts remaining active for months.
Avoid shared individual accounts where possible. Instead of five people sharing one admin login, each person should have their own account with appropriate permissions. This creates an audit trail and makes it possible to revoke one person access without disrupting everyone else.
Case Study
The reused password
Situation
A marketing manager used the same password for their LinkedIn account, their work email, and the company CRM. LinkedIn suffered a data breach and the password was exposed. Within 48 hours, the attacker accessed the CRM using the same credentials and exported 12,000 customer records.
Analysis
A password manager would have generated unique passwords for each service, limiting the breach to LinkedIn only. MFA on the CRM would have blocked access even with the correct password. Neither safeguard was in place.
Takeaway
One reused password turns a breach at any service into a breach at every service. Password managers and MFA together make this scenario nearly impossible.
Reflection Questions
- 1. Does your organization use a password manager? If not, what is stopping adoption?
- 2. List your five most critical accounts. How many have MFA enabled today?
Key Takeaways
- ✓Password managers eliminate reused and weak passwords — the most common attack vector.
- ✓MFA reduces automated account compromise by over 99%.
- ✓Prioritize MFA for email, banking, and admin accounts — email is most critical.
- ✓Revoke access on the day someone departs — maintain a departure checklist.