Why I stopped saving passwords in browsers and what I do instead
For years I let every browser save every password. The little autofill popup was convenient and I never thought twice about it until a coworker had his laptop stolen from a coffee shop and discovered that every saved credential was accessible to anyone who could get past the lock screen. He lost access to two bank accounts for almost a week while the fraud department sorted things out. That was enough to make me reconsider the entire arrangement.
The first thing I did was export the full list from the browser settings page and print it on paper. It was sobering: eighty-seven saved passwords, many of them identical, several for services I had forgotten existed. Eleven of them were for financial accounts. I sat down that same evening and changed the most critical ones, starting with the two bank logins and the brokerage account.
What I settled on after researching for a few days was a standalone password manager that stores the encrypted vault locally rather than in a cloud service. The master password is long and I keep a paper backup in the filing cabinet with the insurance documents. Each financial account now has a unique password generated by the manager, and the browser autofill is turned off entirely. It took about three hours to migrate everything, and the daily friction is minimal once you get used to the extra step of unlocking the vault.
The one habit I have kept from the old system is checking the list quarterly, the same way I review subscriptions. If a service appears in the vault that I have not logged into in six months, I delete the account or at least reset the password. The goal is to keep the attack surface small. I do not pretend to be a security expert, but the coworker's experience made the risk concrete in a way that reading about data breaches never did.
Two-factor authentication: what I actually turned on and where
After migrating to the password manager I went through every financial account and turned on two-factor authentication wherever it was available. The process was less uniform than I expected. My primary bank offered SMS codes and an authenticator app. The brokerage account only supported SMS. One credit card issuer did not offer two-factor at all, which is hard to believe in 2026 but there it is.
I chose the authenticator app wherever possible because I had read that SMS codes can be intercepted through SIM-swapping attacks. The setup was straightforward: scan a QR code, confirm the six-digit number, and save the recovery codes in the password manager. The whole exercise took about ninety minutes for eight accounts. The extra five seconds at each login is a small price for knowing that a stolen password alone is not enough to get in.
The phishing email that almost fooled me
Last week I received an email that looked exactly like a notification from my bank. Same logo, same colour scheme, same footer text. The subject line said my account had been temporarily limited due to unusual activity. The only reason I did not click the link was that I had just logged in five minutes earlier and everything was normal. When I hovered over the link without clicking, the domain was a string of random characters followed by a dash and the bank name. It was convincing enough that I forwarded it to the bank's fraud department and they confirmed it was a known phishing campaign.
The experience reinforced something I had read but never felt viscerally: the quality of phishing attempts has improved dramatically. The days of obvious spelling errors and Nigerian prince stories are long past. The modern version looks professional, arrives at plausible times, and uses real branding assets. My rule now is simple: never click a link in an email that claims to be from a financial institution. Instead, open a new browser tab and type the address manually. It takes ten extra seconds and removes the risk entirely.
About this journal
I write these entries from a desk in a second-floor room that doubles as a home office for my day job, which has nothing to do with finance. The journal started in early 2025 when I realised I could not explain to my younger sibling what a credit score actually measures, despite having had credit accounts for over a decade. I have no monetisation on this site, no advertising, no affiliate links, and no email list. The domain costs me a small amount each year and the hosting is minimal.
The name is borrowed from the street I lived on during the year I started taking this subject seriously. The primary purpose is to make myself write clearly enough about each topic that I am confident I actually understand it, because nothing exposes a gap in understanding faster than trying to explain something in plain English.
Contact
If you have a correction, a source recommendation, or you want to point out something I have described inaccurately, the address below is the best way to reach me. I am not able to offer personal advice on credit matters because I am not qualified to do so, but I welcome factual corrections and reading suggestions.