Skip to main content

CompTIA A+

Passwords and Certificates

12 min read

Password theft still works because people reuse logins and trust what "looks" normal. Fake sites copy branding, buy ads, and wait for rushed clicks. For CompTIA A+ Core 2 (220-1202), Domain 2.0 Security, Objective 2.11 (Password managers, secure connections, sites with valid certificates), you need practical habits, not trivia. This topic ties together three everyday support calls: "My account got hacked," "The browser says not secure," and "This site's certificate warning won't go away." In this post, you'll learn how password managers reduce reuse, how to recognize secure connections (HTTPS and TLS) in seconds, and how to check whether a certificate is actually trusted. The goal is simple: answer scenario questions fast, and handle real tickets without guesswork.

Use password managers to build stronger logins with less effort

A password manager is a tool that creates, saves, and fills passwords for you. It replaces the sticky note, the spreadsheet, and the "same password everywhere" habit. In practice, it acts like a locked key cabinet. You keep one key, and it unlocks many other keys.

Reusing passwords fails for a basic reason: one breach spreads. If a single site leaks a password, attackers try that same email and password on banking, shopping, and work portals. People call this credential stuffing. It works because humans prefer patterns they can remember.

Password managers reduce that risk because they make unique passwords easy. You don't need creativity or memory. The manager's generator can produce long strings that resist guessing and cracking. Just as important, a manager lowers typing errors. Support desks see this daily: a user changes a password, forgets it, then locks the account in five attempts. A manager cuts those lockouts.

For home and small office setups, the technician's recommendation usually comes down to three points:

  • The manager must encrypt the vault, with a strong track record and clear security design.
  • It should support multi-factor authentication (MFA) and device sync if the user needs it.
  • It must fit the user's workflow, because unused security helps nobody.

In a small office, password managers also reduce "shadow IT." Instead of staff saving logins in browsers with unknown settings, you can standardize storage. In addition, shared access becomes safer. A shared vault can hold a service account or a vendor portal login without emailing passwords around.

Treat a password manager like a seatbelt. It doesn't prevent every crash, but it changes the outcome when one happens.

What password managers store, and what they should never store in plain text

Most password managers store data in a vault. The vault is a database protected by encryption. The user unlocks it with a master password (or a master passphrase). That master password should be the only password a user must memorize.

Encryption matters because it changes what "stored" means. With a reputable manager, saved items are encrypted at rest. In other words, the vendor shouldn't be able to read your vault contents in plain text. Attackers who steal an encrypted vault still need the key, which is why the master password strength matters so much.

Password managers often store more than website passwords, for example:

  • Secure notes (such as Wi-Fi passwords or recovery codes)
  • Credit card details for checkout
  • Passkeys (where supported) or authentication tokens

Convenience can raise risk if people store everything. A simple rule works well for both exams and policy: store what you must, secure the rest. For example, storing a router admin password in the vault makes sense. Storing a full scan of an ID card usually doesn't. If sensitive documents must be stored, use an approved encrypted storage system with access controls, backups, and auditing.

Also watch for "plain text" traps. A manager should never store passwords in readable form in a normal notes app, an unencrypted file, or a browser note extension. If a user exports vault data to CSV for "backup," treat that file as highly sensitive. Encrypt it, protect it, or don't create it.

Best practices that show up on the exam and in real tickets

A+ questions often test the difference between "secure in theory" and "secure in use." These habits cover both:

  • Master password length: Prefer a long passphrase. Length beats clever substitutions.
  • Unique passwords everywhere: One site, one password, always.
  • Use the generator: Let the manager create long random passwords, then save them.
  • Auto-fill with care: Auto-fill helps, but only on the correct site and correct page.
  • Avoid auto-fill on risky systems: Skip public kiosks, unknown devices, or pages reached from suspicious links.
  • Enable MFA for the manager: If the vault is the "keys to the kingdom," lock it twice.
  • Plan recovery: Know the recovery method, store recovery codes safely, and document the process for small offices.

In addition, consider how password sharing should work. If two staff members need access to a shared account, a shared vault with role-based access is better than texting the password. Some business-focused tools add admin controls and offboarding support, which helps when an employee leaves. Still, keep it simple for A+ scope: the main idea is controlled sharing without exposing the password in plain view.

Understand secure connections so you can trust what you see in a browser

A secure connection protects data as it travels between a device and a site. Without that protection, anyone on the same network can try to observe traffic or change what gets delivered. Picture a postcard versus a sealed envelope. HTTP is closer to a postcard, while HTTPS is closer to the sealed envelope.

HTTPS relies on TLS (Transport Layer Security). TLS provides encryption in transit and integrity checks.

This lesson is part of ExamWizardz Pro

Unlock every lesson, unlimited practice tests, and the AI tutor.

See Pro pricing

or start with a free account