Welcome: Password Security for Everyone

A friendly, plain-language course to help anyone — including seniors and folks who don’t feel “techy” — build safer password habits. No jargon required.

What you’ll learn

Why strong passwords matter
How to build great passphrases
Using password managers
Turning on multi-factor authentication (MFA)
Spotting common pitfalls & phishing

How it works

Short lessons with quick practice
No instructor — immediate feedback
Move at your own pace
Return anytime — your checklist is on the last slide

Why passwords matter

Think of your password like the key to your home. If the same key opens your house, car, and shed, losing it is a big problem. Using one password for many websites is the same risk — if one site is broken into, strangers can try that same key everywhere else.

Many accounts: Most people keep dozens of logins. Reusing a password is like using the same key for every door in your life.

Credential stuffing: When one website leaks passwords, crooks copy that key into other doors to see what opens. Unique passwords stop this chain reaction.

Phishing risk: A fake email or website asks you to “sign in.” That’s like a scammer wearing a delivery uniform to trick you into unlocking the door. Check the real website address.

Small steps win: A password manager (your locked key box) plus MFA (a deadbolt) blocks most common break-ins.

Plain talk: You don’t need to be a computer expert. A few simple habits make a huge difference — like locking your doors and not leaving a spare key under the mat.

Anatomy of a strong password

Short and fancy (like P@ssw0rd!) isn’t better than long and simple. Long wins. A passphrase is like a short, silly sentence that only you would think of.

Length: Aim for 12–16+ characters (for important accounts, 16+ is great).
Unpredictable: Avoid names, birthdays, or favorite teams.
Passphrases: Use 3–4 unrelated words with separators (e.g., blue!coffee!train!sky).

Why “P@ssw0rd123!” isn’t strong

Attackers know common substitutions and patterns (like @ for a). It’s like hiding a spare key under the doormat — everybody checks there. A longer, unusual phrase is like hiding the key in a locked safe.

Try it: create a strong passphrase (don’t use a real one)

Type a practice passphrase below. Nothing is uploaded anywhere. Think: a tiny story only you would remember.

Start typing to see feedback.

Analogy: Length is like adding links to a chain — the longer it is, the harder it is to break.

Avoid: Personal info, song lyrics, pet names (friends and scammers can guess these).

Goal: Four+ words or 16+ characters for important accounts.

Password managers: your memory vault

A password manager is like a locked pill organizer or a safe deposit box for passwords. It holds all the little pieces so you don’t have to remember them, and it helps you avoid mix-ups.

Benefits

Creates and remembers unique passwords for every site
Fills them in automatically so you type less
Works on your phone and computer
Warns you about weak or leaked passwords

Popular options

Bitwarden (open-source)
1Password
Dashlane
Google / Apple password managers

Self-paced practice: set up your vault

Pick a manager and install the browser extension + mobile app.
Create a strong master passphrase — this is the front-door key to your vault. Make it long and memorable.
Add 3 important logins (email, bank, primary social).
Use the generator to change one weak password today.
Tip: Consider printing recovery codes and storing them with other important documents.

Multi-Factor Authentication (MFA)

MFA is a second lock on your door. Even if someone steals your password (the first key), they still can’t get in without the second key — a code from an app, a hardware key, or your approval on the phone.

Best choices

Authenticator apps (Microsoft/Google Authenticator, Authy) — like a pocket key that changes every 30 seconds.
Passkeys or security keys (FIDO/WebAuthn) where supported — like a physical house key for your accounts.
SMS codes — acceptable if nothing else is available.

Enable MFA now

Start with your email and bank accounts.
Open each account’s Security or Login settings.
Choose Authenticator App when available and scan the code.
Store backup codes safely (your manager can save them).

Analogy: Your password is the knob lock; MFA is the deadbolt.

Common password pitfalls

Reusing passwords across sites — like one key for house, car, and mailbox.
Writing passwords on sticky notes — like taping a spare key to your front door.
Sharing passwords by text or email — like reading your alarm code out loud in a crowded room.
Saving passwords in plain notes apps — like leaving keys on a café table.
Typing credentials on unknown Wi-Fi — like whispering secrets to a stranger.

Self-check: fix a bad habit

Pick one habit to change today. For example, move passwords from a notes app into your manager and delete the note, or turn on MFA for your email.

I migrated one password into my manager.
I deleted a plain-text note of passwords.

Spot the phishing red flags

Mismatched sender and website (e.g., an email says “Your bank” but the address isn’t from the bank).
Urgent tone: “act now or lose access.” Real companies rarely threaten you.
Links that don’t match the real site. Type the address yourself when unsure.
Unexpected attachments. When in doubt, don’t open.

Tip: On a computer, hover links to preview the real address. On a phone, press and hold the link to peek safely.

Quick quiz: strong or weak?

Q1. Which is the strongest?

P@ssw0rd123! blue!coffee!train!sky Summer2025!

Q2. Best next step after a breach notice?

Ignore it Reuse an old password Change the password + enable MFA

Staying safe beyond passwords

Good security is like car care: buckle up (MFA), keep the engine maintained (updates), and drive with awareness (watch for scams).

Updates: Keep your phone, computer, and apps current. Analogy: oil changes for your devices — skip them and things break.

Wi-Fi: Avoid sensitive logins on public networks, or use a trusted VPN. Analogy: sending a postcard vs. a sealed letter.

Monitoring: Review recent logins/devices in account security pages. Analogy: checking who has a spare key.

Self-paced task: breach check

Visit haveibeenpwned.com and search your email(s). If you appear in results, change those passwords and turn on MFA.

Final quiz

Q1. Safest MFA method here?

SMS code only Authenticator app (or passkey) Email me my password

Q2. Best way to handle 100+ unique passwords?

Use a password manager Write them on sticky notes Reuse your favorite one

Q3. Which link is safest to click?

A shortened link from an unknown sender A link in an email demanding urgent action A URL you type yourself into the browser

Password hygiene checklist

Use this list like a fridge magnet — small steps you can check off and feel good about.

I created a long, unique master passphrase
I installed a password manager on all devices
I changed at least one weak/reused password
I turned on MFA for email and bank
I deleted any plain-text password notes

Resources

NIST SP 800-63B (Digital Identity Guidelines)
Have I Been Pwned
Password managers: Bitwarden, 1Password, Dashlane, Google/Apple

Tip: Always protect your Passwords