How to Secure Your Accounts: Passwords, 2FA, and Passkeys
By Scott Anderson, Clearfront maintainer
Most account takeovers come down to three fixable things: weak or reused passwords, missing two-factor, and falling for a phishing page. Here is how to fix all three, based on current guidance from NIST and the FIDO Alliance, not the outdated password rules you grew up with.
How do you actually secure your accounts?
Use a long, unique passphrase for every account with a password manager, turn on two-factor authentication everywhere, and move to passkeys where they are offered. Those three steps stop the attacks that compromise most people.
The advice has changed a lot, and much of what you were told years ago is now wrong. The US standards body NIST rewrote its guidance, and the security industry has moved toward passkeys. Here is the current version.
Passphrases beat complex passwords
Length matters more than symbols. A long passphrase is stronger and easier to remember than a short password full of special characters, and modern guidance no longer wants you rotating passwords every 90 days.
NIST's current guidance, updated in 2025, says to allow long passwords, support passphrases, and stop forcing routine resets unless there is evidence of compromise. It also says to check new passwords against lists of known-breached ones and to allow password managers rather than fighting them. In plain terms: a unique passphrase per account, kept in a manager, is the baseline.
Why unique passwords matter so much
A reused password turns one old breach into a break-in across your accounts, through an attack called credential stuffing.
Attackers take passwords leaked in past breaches and try them everywhere. If you reuse one, a single leak opens your email, your bank, your shopping accounts. The numbers on how common this is are in how attackers use your footprint to phish you. A password manager fixes it by giving every account a different password you never have to remember.
Turn on two-factor, but not all 2FA is equal
Two-factor authentication means a stolen password is not enough on its own. Use an authenticator app or a hardware key rather than text-message codes.
App-based codes and hardware security keys are stronger than SMS, because text messages can be intercepted or stolen through SIM-swap attacks, where someone ports your number to their phone. Turn on two-factor everywhere it is offered, and prefer an app or a key for anything that matters, like your email and your bank.
Passkeys: the phishing-resistant upgrade
A passkey is a login tied to your device and to the real website's address, so it cannot be phished. There is no password or code for an attacker to steal or trick you into typing.
Passkeys use the FIDO standard. Your device creates a pair of keys: the public one goes to the website, the private one stays encrypted on your device and never leaves it. You sign in by unlocking your device with a fingerprint, face, or PIN. Because the passkey is bound to the genuine site's domain, it simply will not work on a look-alike phishing page. Where a service offers passkeys, they are the strongest option available.
The short version
- 1.Get a password manager and give every account a unique passphrase
- 2.Turn on two-factor everywhere, using an app or hardware key over SMS
- 3.Switch on passkeys wherever they are offered, starting with your most important accounts
- 4.Check your email against a breach index and rotate anything exposed
None of this is exciting, and all of it works. If you have just found yourself in a breach, the follow-up steps are in how to respond to a data breach, and to check whether a big leak includes you, see how to check the 24 billion record leak.
Frequently asked questions
- Are passphrases safer than complex passwords?
- Yes. Current NIST guidance favors length over forced complexity, so a long passphrase is both stronger and easier to remember than a short password full of symbols.
- Should I change my passwords every 90 days?
- No. NIST now advises against routine periodic resets and says to change a password only when there is evidence it has been compromised.
- Is SMS two-factor safe?
- It is better than no two-factor, but weaker than an authenticator app or a hardware key. Text-message codes can be intercepted or stolen through SIM-swap attacks, so prefer an app or key for important accounts.
- What is a passkey and is it better than a password?
- A passkey is a device-bound cryptographic login built on the FIDO standard. It is stronger than a password because it cannot be reused across sites and is bound to the real site's address, so it resists phishing.
Sources and further reading
Scott Anderson believes your personal data is yours to own and protect. He built Clearfront, a free, open-source tool for scanning and scrubbing your own digital footprint from public data, and he writes about OSINT, breach exposure, and personal privacy.
Related posts
- How Attackers Turn Your Public Footprint Into a Phishing Attack
Your public information fuels the two attacks most likely to hit you: a convincing phishing email and a password guessed from an old breach. Here is how, with the numbers.
- How to Respond to a Data Breach: The Step-by-Step Checklist
A company lost your data, or a checker flagged your email. Here is the response that actually protects you, in order, based on official FTC guidance.
- 24 Billion Records Just Leaked. Here Is How to Check If Yours Are In It.
A June 2026 dump exposed around 24 billion credential records. Here is what was in it, how to check if your data is included, and the 15-minute response.