A friend of the family lost her husband last year. One afternoon he was there. The next morning she was at his laptop, trying to figure out how to keep the house running.
She did not know a single password. Not his email. Not the bank. Not the life insurance portal.
She spent the next four months proving she was allowed to access her own family’s money.
I’ve spent the last few years helping everyday people lock down their digital lives. Not developers. Not security professionals. The mistakes repeat.
1. A strong password is enough
79% of people know that reusing passwords is risky. 84% of them do it anyway. I didn’t make those numbers up. That’s the gap your attacker is counting on.
The pattern is simple. Your email and password leak from one site. An attacker tries the same pair on Gmail, Amazon, your bank, Coinbase. If you reused the password, one breach becomes forty doors.
A strong password without a second factor is a good lock on a door that has no deadbolt. You need both.
Not all second factors are equal.
SMS codes are the worst option. A bored attacker calls your mobile carrier, convinces them to port your number to a new SIM, and every code meant for you lands on their phone. That’s a SIM swap. It’s cheap, it works, and it is not going away.
TOTP apps like Aegis or 1Password are better. The codes never leave your device. They still get phished by fake login pages that capture your password and your six-digit code in the same sixty seconds.
Hardware keys like the YubiKey 5C NFC are the top tier. They’re built on FIDO2 and they’re effectively unphishable. The key verifies the exact domain you’re logging into before it releases a signature. If you’re typing credentials into yubkey-login.com instead of yubico.com, the key refuses to cooperate. You cannot say that about a code you typed manually.
What to do: pick a password manager, move your accounts into it, generate fresh random passwords for your top 20, and buy two hardware keys. Always two.
2. “It’s in iCloud”
iCloud is a convenience strategy. It is not a security strategy. Those are different things.
A real backup satisfies the 3-2-1 rule. Three copies of your data. Two different storage media. One copy somewhere that is not your house.
iCloud gives you one of those on a good day. If your Apple ID gets taken over, your backup goes with it. If your account gets locked, access ends. If you forget the recovery key, you are in their hands. None of that requires a hacker.
I’ve watched two separate people lose years of family photos to an iPhone passcode they couldn’t remember. The device timed them out. Five minutes. An hour. A day. A week. Then it was gone.
What to do: one local encrypted backup, one offsite backup, and one restore test each quarter. A backup you have never restored from is not a backup. It is a hope.
3. No plan for incapacitation
This is the big one. It’s the mistake that makes the widow story happen.
Your “bus factor” is the number of people who could be hit by a bus before your digital life becomes inaccessible. For most people, that number is one. You.
The uncomfortable question is not whether you will die. You will. It is whether your family can function when you do. Can they pay the mortgage, reach accounts, close positions, find photos, and keep life moving?
A will doesn’t solve this on its own. In most US states, a law called RUFADAA gives a platform’s terms of service more weight than your will when a provider-side tool exists. Google’s Inactive Account Manager beats your lawyer’s paperwork. Apple’s Digital Legacy Contact does the same for iCloud. If you haven’t set those up, your estate ends up in a process that could have been an email.
The tools are already built.
Bitwarden Emergency Access lets a trusted person request access after a waiting period. Google Inactive Account Manager does something similar. Meta has Legacy Contact. Most major platforms have a version of this. The people who need them rarely set them up.
None of it works retroactively. A grieving family cannot set these up on your behalf. You do it now, or it does not happen.
The core move is simple. You write down what matters, you pick a trusted person, and you test the handoff while you’re alive to fix what breaks.
This is what my Bus Factor Insurance course is being built around: could your family reach the accounts, files, photos, and digital assets that matter if you could not help them?
4. Security theater over threat modeling
Buying a VPN because a YouTuber told you to, while reusing the same password on forty sites, is the purest form of this. Hours spent on the small decision while the big one sits there untouched.
Threat modeling sounds like something a security consultant charges for. It isn’t. It’s a ten-minute exercise.
Techlore has a clean frame. Three columns: People, Companies, Governments. Three rows: Security, Privacy, Anonymity. Nine cells total. Your threat model is the handful that matter to you.
If you have a job, family, and investments, your top cells are probably People/Security and Companies/Privacy. Governments/Anonymity may matter less unless you are a journalist or activist. That is fine. You need the right security, not maximum security everywhere.
What to do: pull up the matrix, circle the two or three cells that matter most, list what a realistic attacker would target in each, and fix those specific gaps. Not every gap. Those ones.
5. Treating security as one-time setup
Security is maintenance. I know that sounds boring. It is the whole job.
Backup hardware keys need to live somewhere different from your primary, and the backup needs to be tested. Bitcoin seed phrases need to be verified by recovering them on a spare device. If you use a passphrase, remember: there is no passphrase recovery. A typo creates a different wallet. The device will not warn you.
That same quirk makes passphrases useful. A passphrase creates a separate wallet on the same seed. Someone who finds the seed sees a decoy, not the full position. It helps against the physical-pressure scenario where you may need a wallet you can safely hand over.
None of this survives neglect. Keys get lost. Phones get replaced. Services change their 2FA options without asking. The external drive in the drawer sits for three years and its battery-backed controller forgets the encryption header.
What to do: put a 60-minute security review on the calendar once a quarter. Rotate the backup key. Run a restore. Remove SMS 2FA where you can. Confirm your emergency contact still makes sense. Then leave it alone until next time.
None of these mistakes are exotic. That is why they hurt. The gap between “I know” and “I did it” is where people get hit.
If any of the five hit home, my stack page lists the specific tools I use for each layer. I’m also building a Bus Factor Insurance course that walks through all of this end to end. It’s not ready yet.
The woman who lost her husband eventually got access. Not because the system helped her. Because she fought it for four months. That’s the part that stays with me.