Key and shield metaphor for password safety
Passwords get explained with a lot of jargon. This is a plain-English glossary for the terms you’ll actually run into on Windows (and often in Google sign-ins), using a simple “house key” analogy so it sticks.

Think: keys, locks, spare keys, and what happens when a key goes missing.

Throughout, assume you’re using Windows and you sometimes sign in with a Google account in Chrome or other apps.

The basics: “password,” “passphrase,” and “PIN”

Password: the secret string you type to open an account. In the house analogy, it’s the key that works anywhere your account exists (web, new device, other apps).

Passphrase: a password that’s longer and usually made of multiple words. Like a longer key cut with more grooves—harder to copy by guessing.

PIN (Windows Hello PIN): a device-specific code that unlocks this Windows device. Think of it as a keypad code to your apartment door, not the master key to the whole building.

  • If someone learns your account password, they can often sign in from anywhere.
  • If someone learns your Windows Hello PIN, it typically helps them only on that device (and often only after they already have the device).

Padlock with keypad symbol representing PIN vs password

Sign-in vs unlock: “account,” “session,” and “lock screen”

Account: your identity with rules and access (like your name on the lease). A Google account or Microsoft account is an account; so is a local Windows account.

Sign in: proving you’re allowed in and starting a new “visit.” Like showing a key at the front door.

Unlock: reopening what was already open on your device. Like returning to a door you locked behind you for a moment.

Session: the “you’re currently signed in” state. If someone steals your session, it can be like finding a door that’s already open—no key needed.

On Windows, the lock screen is often about unlocking the device. In a browser, you’re often dealing with sessions (cookies) that keep you signed in.

Why passwords get “stolen”: phishing, leaks, and credential stuffing

Phishing: a fake door that looks real. You type your key into the wrong lock (a fake sign-in page), and the attacker keeps the key.

Data breach / leak: a copy of many keys gets taken from a company’s key box (a hacked database). Even if you did nothing wrong, your password might be exposed.

Credential stuffing: trying a leaked key on lots of other doors. If you reuse passwords, this is why one leak can turn into multiple account takeovers.

  • Phishing is about being tricked into handing over the key.
  • Breaches are about keys being copied in bulk.
  • Credential stuffing is about testing reused keys everywhere.

Fishing hook near a key outline symbolizing phishing

“2FA,” “MFA,” and Google prompts: what they really add

2FA (two-factor authentication) / MFA (multi-factor authentication): a second check after the password. In the analogy: you need the key and something else—like a door code or a doorman confirmation.

Authenticator app codes: rotating one-time codes. Like a key that changes shape every 30 seconds.

Google prompt: a sign-in approval request sent to a trusted phone. Like a doorman calling your phone to confirm it’s really you.

SMS codes: better than nothing, but easier to intercept than app-based codes or prompts. Like using a spare key that can be redirected if your mail gets messed with.

On Windows, 2FA usually shows up when you sign in to a Google account in Chrome or a Google app—not when you simply unlock the PC.

Recovery terms: “backup codes,” “recovery email,” and “account recovery”

Recovery is your spare-key plan. It matters as much as your main password, because it’s how you get back in when you’re locked out.

Recovery email / recovery phone: where the service can reach you to prove you’re you. Like the building manager’s contact info for you.

Backup codes: one-time spare keys you store somewhere safe (preferably offline). If you lose your phone or can’t get 2FA prompts, these can save you.

Account recovery: the process of proving identity when normal sign-in fails. Often slower and stricter than people expect.

  • Store backup codes somewhere you can reach even if your computer is broken.
  • Make sure your recovery email is an address you still use.
  • If you change phone numbers, update recovery details soon after.

Spare key in a safety box for account recovery

Password tools: password manager, “saved passwords,” and autofill

Password manager: a locked keyring that stores unique keys for each door. You remember one strong master password (and ideally use 2FA), and the manager remembers the rest.

Saved passwords (in Chrome): Chrome can store passwords tied to your Google account (or locally). This can be convenient, but it still needs good account protection because it becomes a valuable keyring.

Autofill: the convenience feature that inserts stored credentials. Helpful for long unique passwords, but it can also fill into the wrong place if you’re on a convincing fake site—so glance at the site address before submitting.

On Windows, you’ll often see passwords “follow you” when you’re signed into Chrome with Google sync enabled.

A quick checklist: the “good enough” setup for most beginners

  • Use unique passwords for your most important accounts (email, bank, Google).
  • Turn on 2FA for your Google account (prompt or authenticator app is a solid default).
  • Keep recovery options current (recovery email/phone) and save backup codes.
  • Use a password manager (or Chrome saved passwords) so you’re not forced to reuse.
  • Treat your email as the master key: protect it first, because many resets go through email.

Takeaway: one key, one lock, one spare plan

A safe password setup is mostly three habits: unique “keys” (no reuse), a second check (2FA), and a spare-key plan (recovery). If you only improve one thing this week, make it protecting your Google account—because it often protects everything else connected to your Windows browsing and sign-ins.