Client Resource

Passwords, Password Managers & Two-Factor Authentication

Strong passwords and two-factor authentication aren't optional anymore. They're the first line of defense for your business online. Here's what you need to know, and what I'll need from you.

Let me be upfront about something: I’m going to ask you to take a little bit of responsibility for your own account security. Not because it’s technically complicated (it isn’t), but because the most sophisticated hosting setup in the world can’t protect you if someone gets your password.

The good news is that getting this right isn’t hard. It just takes doing a couple of things differently than most people currently do them.

What makes a password strong?

The biggest myth about passwords is that complexity is what matters. A password full of capital letters, numbers, and symbols that’s twelve characters long is much weaker than a simple phrase like “purple-lamp-runway-toast.” Length is what actually protects you, not character variety.

The other thing that matters just as much: don’t reuse passwords. If you use the same password across multiple sites and one of those sites gets breached (which happens constantly, to big companies and small ones alike), attackers try that same password everywhere: your email, your hosting login, your banking. It’s called credential stuffing, and it works.

Take this one seriously

If you’re currently reusing passwords across sites, that’s the most important thing to fix. A password manager (see the next section) makes it straightforward.

The case for a password manager

A password manager is software that generates and stores strong, unique passwords for every site you use. You remember one master password. The password manager handles everything else. Think of it like a locked safe with a really good memory: it knows the combination to every lock in your life, and you only have to remember the combination to the safe.

I use one every day and genuinely can’t imagine doing my job without it. There are two I’d recommend:

1Password

The most polished option out there. Easy to set up, works seamlessly across your phone, computer, and browser, and has a great family plan if you want to share it at home. Starts at $2.99/month. This is what I’d recommend if you want something that just works and you don’t want to think about it. 1password.com →

Bitwarden

Open-source, independently audited, and has a genuinely useful free tier. Not quite as polished as 1Password, but it works great and the free plan covers everything most people need. If budget is a consideration, this is a solid place to start. bitwarden.com →

Why I require two-factor authentication

Two-factor authentication (2FA) means that logging into an account requires two things: something you know (your password) and something you have (usually your phone). Even if someone gets your password (through a data breach, a phishing email, or just guessing), they still can’t get in without that second factor.

This is a condition of my managed hosting: all WordPress admin accounts on sites I host must have 2FA enabled. I know that sounds like a policy, and it is, but it’s there because it works. I’ve never had a client site compromised on an account that had 2FA turned on.

Don’t worry about this

Setting up 2FA takes about two minutes, and I’ll walk you through it when we get to that point. The most common method is a six-digit code that refreshes on your phone every 30 seconds. Nothing complicated, and you only have to do it once per device.

How to share a password with me (the right way)

Sometimes I’ll need temporary access to something you own: a Google account to set up Analytics, a domain registrar to update DNS settings, or a hosting login to configure something. (The Nameservers & Cloudflare guide covers your registrar access options specifically.)

Please don’t send passwords in a text message or email. Neither is encrypted in a way that protects you if someone intercepts the message or gets into your inbox later. Instead, use a one-time secure link. It disappears after it’s opened, so even if someone found the link afterward, there’d be nothing there.

The easiest free option is OneTimeSecret (no account needed):

1

Go to onetimesecret.com

No sign-up required. You’ll see a simple text box right on the home page.

2

Paste the password (and username, if needed) into the box

If you’re sharing both a login and a password, put both in there. You can also add an optional passphrase for an extra layer; then you’d send me the passphrase separately by text.

3

Click “Create a secret link” and copy the link it gives you

Send me that link by email, text, or whatever’s convenient. The moment I open it, the secret is gone permanently.

4

Change the password once I’m done

The link expires after one view, but changing the actual password is the cleanest way to close the loop, especially for something like a Google account or hosting login.

If you use 1Password

1Password has a built-in “Share Item” feature that does the same thing. Open the item, click the share icon, and send me the link. Works great if you’re already in that ecosystem. No need to go to a separate site.

Still, I try to ask for direct credential access only when there’s genuinely no other way. Whenever possible, I’ll ask you to create me a separate account with the specific access I need, and we can remove it when the project’s done. Cleaner all around.

Questions about any of this? Reach out and I’ll walk you through it.
Questions about this? Reach out — I'm happy to walk you through it.