GrandGuard
Simple digital security for those you love.
This page teaches five essential habits that protect against the most common online threats. Read it at your own pace, on your own or alongside someone you trust.
Start readingPart one
Why passwords matter
Weak or reused passwords are the number one cause of hacked accounts. Most break-ins happen not because someone is a genius, but because the same password was used in many places.
Imagine every door in your house used the same key. Your front door, your car, your safety deposit box, and your mailbox, all opened with one key. If someone copied that key just once, they could walk into every part of your life.
That is what happens online when the same password is used for email, banking, and shopping. If one website is broken into and passwords leak out, attackers try that same password everywhere else. This happens millions of times every day, automatically.
Every important account needs its own unique password. Your email account matters most of all, because that is how every other account can be reset.
Part two
Creating strong passwords
The best passwords are long and easy for you to remember, but hard for anyone else to guess. Here is a simple method. Pick four random unrelated words and put them together.
Take Purple-Fence7-Tuesday!mountain. Four ordinary words joined by a symbol, a number, and one capital letter. Many sites require these. Easy to picture, easy to type, and very hard to crack.
A password with eight characters, even with numbers and symbols, can be cracked by a computer in seconds. A password with twenty-five letters would take centuries, even if the letters are simple.
Pet's name and a birthday. Guessable in seconds.
Four words with a symbol, a number, and a capital. Easy to remember, very hard to crack.
What to avoid
- Names of family members, pets, or streets you have lived on.
- Birthdays, anniversaries, or phone numbers.
- Common words like "password", "welcome", or "letmein".
- Any password you have used on another website.
Part three
Password managers
A password manager is a locked vault that remembers all your passwords for you. You only need to remember one master password, and the vault does the rest.
When you visit a website, the password manager fills in your username and password automatically. You never have to type them, and you never have to remember them. You can also ask it to create a new strong password for you at any time.
This is much safer than writing passwords in a notebook or on sticky notes. A vault is encrypted, which means even if someone stole your phone or computer, they could not read the passwords without the master password.
Trusted options
- Bitwarden. Free, works on every device, highly recommended.
- 1Password. Paid, very polished, excellent for families.
- Apple Keychain. Already built into iPhones, iPads, and Macs.
- Google Password Manager. Already built into Android phones and Chrome.
If you have an iPhone or an Android phone, you already have a password manager. You just have to start using it.
Make the master password a long passphrase of four or five random words. Write it down once, on paper, and keep it somewhere safe at home. Not taped to the computer.
Part four
Two-factor authentication
Two-factor authentication, often written as 2FA, adds a second lock to your account. Even if someone learns your password, they still cannot get in.
The idea is simple. Something you know (your password) plus something you have (your phone). Both are needed to sign in.
What happens when you log in
- You type your password as usual.The website checks it, but does not let you in yet.
- The website asks for a six-digit code.This code changes every thirty seconds.
- You open an app on your phone.The current code is shown. You type it into the website.
- You are let in.An attacker on the other side of the world cannot do this, because they do not have your phone.
Authenticator apps vs. text messages
The code can be delivered in two ways. One is a free app on your phone. The other is a text message (SMS). Apps are safer. Good choices include 2FAS, Ente Auth, Aegis Authenticator, and Proton Authenticator.
Part five
Why text message codes are not ideal
Getting a code by text message is better than no second factor at all. But it is the weakest of the options, and here is why.
There is a trick called SIM swapping. A scammer calls your phone company, pretends to be you, and says they lost their phone. They ask for your phone number to be moved to a new SIM card that they have. Sometimes, with enough personal information, they succeed.
From that moment on, your phone number rings on their phone. Every text code meant for you goes to them. They can then reset your accounts one by one.
This is rare, but it happens. There is good news. Using an authenticator app instead of text messages removes the risk completely, because the codes are generated inside your own phone and are never sent through the phone network.
A hardware key like a YubiKey is the safest choice. An authenticator app is very good. Text message codes are still helpful. Anything is better than no second factor.
Part six
Passkeys, the next step
Passkeys are a new and simpler way to sign in. No password to remember. No code to type. Just your face or your fingerprint.
When you create a passkey on a website, your device quietly makes a pair of secret keys. One stays safely locked on your phone or computer. The other is given to the website. Neither key alone is useful, and they only work together.
When you sign in, the website asks your device to prove it has the matching key. Your phone asks you to look at it or to touch the fingerprint reader, and you are in. Nothing is typed, so nothing can be stolen by a scammer, and there is no password to forget.
Passkeys are already built into iPhones, iPads, Macs, Android phones, and Windows computers. Many websites already offer them, including Google, Apple, Amazon, and many banks. You do not need anything special to start.
It is safer than a password and far easier to use. Your existing password still works as a backup.
Part seven
Phishing, the most common trick
Phishing is when a scammer sends an email, text, or message that looks like it is from a company you trust, such as your bank, the post office, the tax office, or a delivery service. They hope you will click a link and type your password.
The message usually creates a sense of urgency. "Your account will be closed." "A package could not be delivered." "Unusual sign-in detected." The goal is to make you act quickly, before you have time to think.
How to spot a phishing message
- Urgency. The message demands you act within minutes or hours.
- Odd sender. The email address is strange, even if the name looks right.
- Grammar or spelling slips. Real banks do not send messages with broken sentences.
- Suspicious links. The address does not match the company, or is shortened.
What to do
Do not click the link. Instead, open a browser and type the company's address yourself, or use the bookmark you already have. Log in there and check. If it was real, the message will be waiting for you on the site.
Use the number on the back of your card, never a number from the suspicious message. A real representative will never be upset that you checked.
Keep this handy Printable
Quick reference card
Five rules on one page. Print it and keep it near the computer.
The five habits
- Use a unique password for every account.Four random words works beautifully.
- Use a password manager.Bitwarden, 1Password, Apple Keychain, or Google Password Manager.
- Turn on two-factor authentication.Prefer an authenticator app over text messages.
- Say yes to passkeys when offered.They are safer and easier than passwords.
- Never click a link in an urgent message.Open the website yourself. When in doubt, call your bank.