A data breach at a small shopping site exposes your email address and password. You used the same password at your bank and email provider. What is the most likely attack that follows?
ANothing — hackers only care about financial data from large institutions
BAutomated credential stuffing: attackers try that same email-and-password pair at hundreds of other sites immediately
CPhishing emails targeting you specifically, since they now know your email address
DBrute-force attacks on your bank account, since they now know your email
Credential stuffing is automated and widespread: once a password database leaks, attackers immediately run the stolen email/password combinations against banking, email, and shopping sites. This is why uniqueness across accounts matters as much as strength — even a very strong password gives no protection at Site B if it was the same password stolen from Site A.
Question 2 Multiple Choice
You visit what appears to be your bank's login page and notice your password manager hasn't autofilled your credentials, even though you're on the right-looking URL. What does this most likely indicate?
AThe password manager has a bug and needs to be updated
BYou need to manually trigger autofill on banking sites for security reasons
CThe page is likely a phishing site on a slightly different domain — the manager only fills on the exact saved domain
DYour credentials weren't saved for this account and need to be re-entered
Password managers autofill only on the exact domain where credentials were saved. If you're on 'bankofamerica.security-login.com' instead of 'bankofamerica.com', the manager silently refuses to fill — which is a valuable warning sign. This is one of the strongest anti-phishing properties of password managers: they aren't fooled by visual mimicry, only exact domain matches.
Question 3 True / False
Your email account is less important to secure with two-factor authentication than your bank account, since email holds no financial information.
TTrue
FFalse
Answer: False
Email is arguably the most critical account to protect, because it is the recovery mechanism for every other account. Anyone who controls your email can click 'forgot password' on your banking, social media, and shopping accounts and reset every one. Compromising your email is effectively compromising everything. Enable 2FA on your email account first.
Question 4 True / False
A password manager protects you against phishing attacks even without any explicit anti-phishing features, because of how autofill works.
TTrue
FFalse
Answer: True
Password managers only autofill credentials on the exact domain where they were saved. A convincing fake page at 'arnazon.com' or 'paypa1.com' gets no autofill from the manager, because it only recognizes the real 'amazon.com' or 'paypal.com'. This domain-binding behavior means that letting the manager fill (rather than typing manually) provides phishing resistance as a side effect of normal operation.
Question 5 Short Answer
Why is using a unique password for every account at least as important as using a strong password for each account?
Think about your answer, then reveal below.
Model answer: Because credential stuffing means that when any site is breached, the stolen credentials are automatically tried on hundreds of other sites. A strong password on Site A provides zero protection at Site B if it's the same password — uniqueness breaks the chain that lets a single breach compromise all your accounts.
Password strength and password uniqueness address different threats. Strength protects against brute force and dictionary attacks targeting a single account. Uniqueness protects against the most common real-world attack: credential stuffing from breached databases. A password manager solves both simultaneously by generating and storing a strong unique password for every site.