Identity
The household does not need clever passwords. It needs unique passwords, passkeys where supported, MFA, and a recovery path that survives a dead phone.
Short version
Password manager first. Passkeys and security keys for the accounts that matter. Recovery sorted before the bad day.
Source imagery
Swipe examples
Image 1/3
Image 2/3
Image 3/3
Account-takeover path
Most household account disasters do not start with movie-hacker nonsense. They start with one reused password, then email, then everything email can reset. Unique passwords, passkeys, MFA and recovery codes put gates in that path.
A stolen or phished credential can still move toward email, cloud or money accounts.
The phone is still the single way back in. That is fine until the phone is gone.
Explain the jargon
Tap a term for the plain-English version and the practical move. No fake mystique, just the bit that changes what you do at home.
Swipe the terms one at a time below desktop width. Glossary cards can get wordy, and squeezing three of them into a tablet row helps nobody.
A phishing-resistant login tied to your device, password manager or hardware key. A fake login page cannot reuse it like a stolen password.
Do this: Turn passkeys on first for email, Apple/Google/Microsoft, banking and password-manager accounts where supported.
A small FIDO2/U2F hardware key, such as a YubiKey, that proves you are present during login.
Do this: Buy two for high-value accounts: one daily key and one backup stored safely.
A code sent by text message. Better than no MFA, but weaker than passkeys, security keys or authenticator apps because phone numbers can be socially engineered or ported.
Do this: Use SMS if it is the only option. Replace it for accounts that support stronger factors.
Read these as three short household checklists. They stay stacked below desktop width so the action text does not get squeezed.
Self-check questions
Use these quick checks to find the next practical fix. The useful answer is not perfect security; it is whether the safer path is obvious when someone is tired, embarrassed or in a hurry.
On phones, swipe one question at a time. Use the first uncomfortable answer as the next household fix, not as a lecture.
If someone got into your main email tonight, which accounts could they reset before breakfast?
Good sign: Email has unique password, passkey or strong MFA, recovery codes, no mystery forwarding rules, and recovery details that do not depend on one phone.
Watch for: If email is protected worse than shopping accounts, the reset chain is upside down.
Could you recover email, the password manager and banking if the main phone fell in the ocean?
Good sign: Backup codes, a second security key, trusted recovery contact or documented recovery route exists before the phone is gone.
Watch for: A phone-only setup feels simple until the phone is the thing missing, stolen or ported.
Which passwords still live in chats, notes, screenshots or someone's memory because they are 'only' for family accounts?
Good sign: Shared accounts move into a family vault with unique passwords and a named recovery owner.
Watch for: Low-value password habits migrate. The same screenshot-and-reuse pattern eventually reaches email, telco or money.
Full guidance
This page turns account security into an adoption sequence a family can actually finish.
Swipe one guidance note at a time below desktop width. The receipt cards appear first; these notes are the deeper explanation, not a wall to skim in one go.
Note 01/04
The best vault is the one people use. Family sharing in 1Password, Bitwarden, Keeper or ecosystem vaults beats texting passwords around.
Note 02/04
Do email first, then Apple/Google/Microsoft, password manager, banking, telco, cloud storage, social media and shopping. Email and phone numbers sit behind the reset buttons for everything else, so they do not belong at the bottom of the list.
Note 03/04
SMS MFA is weaker than passkeys, security keys and authenticator apps, but it is still usually better than no MFA. Use it when it is the only option; replace it where you can.
Note 04/04
Set recovery contacts, print/store backup codes and record the password-manager recovery process while everyone is calm. A lost phone should be annoying, not the start of losing email, bank access and cloud photos in one ugly chain.
Scenario
Swipe one real-world mess at a time
Scenario 1/2
A reused shop password also works on webmail.
Better response
Worse habit
Changing only the breached shop and leaving email exposed.
Scenario 2/2
The main phone is lost and every account wants a code sent to that phone.
Better response
Worse habit
Trying random reset flows until accounts lock or recovery alerts train everyone to click through.