Password Security Audit Checklist: 20 Steps to Harden Every Account You Own
Most people have dozens of accounts with weak, reused, or outdated passwords — and don't know it. This step-by-step audit checklist walks you through finding and fixing every weak point in your password security, from credential stuffing exposure to emergency access planning.
Why You Need a Password Audit
The average person has over 80 online accounts. Most were created years ago with whatever password habits existed at the time — which for most people means variations of the same base password with predictable substitutions (p@ssw0rd, for example). That approach has been systematically broken by large-scale data breaches: billions of leaked credential pairs are freely available to attackers, who run automated credential-stuffing tools against every major site continuously.
A password security audit doesn't take as long as you'd think. Most of the work below is one-time setup that pays forward indefinitely. This checklist is organized by priority — start at the top and work down. Use our free password generator whenever you need to create a new strong credential during the process.
Phase 1: Understand Your Current Exposure (Steps 1–5)
Step 1: Check if your email address has been in a breach. Go to HaveIBeenPwned.com and enter each email address you use regularly. If your address appears in a breach, every account that used that email and password combination is at risk — even if that specific account wasn't the one breached. The site shows you which breach included your data and what categories of information were exposed.
Step 2: Check your password manager's breach and health report. If you already use NordPass, 1Password, Bitwarden, or a similar tool, open its built-in security report. These tools cross-reference your stored passwords against known breach databases, identify reused passwords across multiple sites, and flag passwords that are too short or too simple. If you don't yet have a password manager, step 6 covers that — it's the most important single action you can take.
Step 3: List your highest-value accounts. Write down or mentally catalog your most critical accounts: primary email, secondary email, online banking and investment accounts, PayPal or Venmo, Apple ID or Google account, work email, and your password manager master password. These accounts get prioritized throughout the audit. Compromise of any one of them can cascade to everything else.
Step 4: Identify accounts that share a password. Reused passwords are the single biggest reason a single breach cascades into complete account takeover. If your Netflix password is identical to your bank password, and Netflix is breached, your bank is effectively compromised too. Search your password manager or think carefully through your accounts to identify shared passwords — these all need to change.
Step 5: Surface accounts you've forgotten about. Old dormant accounts still carry risk, especially if they share a password with active ones. Search your email inbox for "welcome," "verify your email," or "confirm your account" to surface accounts you created and forgot. Consider deleting accounts you genuinely no longer need — fewer accounts means fewer breach exposure points.
Phase 2: Fix the Foundations (Steps 6–12)
Step 6: Set up a password manager if you don't have one. This is the highest-ROI security action available to most people. A password manager lets you use a unique, strong, randomly generated password for every account without memorizing any of them — it stores and fills them for you. NordPass offers a solid free tier with zero-knowledge encryption and built-in breach monitoring. 1Password is excellent for families, teams, or anyone who wants a polished cross-device experience. Bitwarden is a strong free and open-source option.
Step 7: Create a strong master password. Your password manager's master password protects every other credential you own, so it needs to be genuinely strong — at least 16 characters, not based on any word, phrase, or pattern you've used elsewhere. Use our free password generator to create one, write it down on paper stored in a secure physical location (a locked drawer or safe), and practice typing it until it's memorized. This is the one password worth memorizing.
Step 8: Change your high-value account passwords first. Start with the list from Step 3. Use your password manager to generate a new, unique password for each (16+ characters, fully random). Don't attempt to make them memorable or guessable — that's the entire job of the password manager. Prioritize: email accounts, financial accounts, Apple ID / Google account, and any account storing payment methods.
Step 9: Enable 2FA on your primary email account. Your email is the master recovery mechanism for every other account. A compromised email inbox allows an attacker to reset essentially any other password you own via the "forgot password" flow. Enable two-factor authentication using an authenticator app — Google Authenticator, Microsoft Authenticator, or Authy — rather than SMS, which is vulnerable to SIM-swapping attacks. Do this before anything else in Phase 2.
Step 10: Enable 2FA on your password manager. All major password managers support 2FA. Enable it now using an authenticator app. If someone obtains your master password through a data breach or phishing attack, 2FA is the only remaining barrier between them and every credential you own.
Step 11: Enable 2FA on financial accounts. Banking, brokerage, PayPal, Venmo — enable authenticator-based 2FA on all of them. Some banks still only offer SMS-based 2FA; it's better than nothing, but request app-based or hardware-key options when available. Contact your bank directly if their website doesn't surface stronger 2FA options.
Step 12: Change all reused passwords. Return to the reuse list from Step 4 and systematically replace every shared password with a unique generated one stored in your manager. This is the most tedious part of the audit but only needs to happen once — after this, every new account gets its own unique password by default.
Phase 3: Harden the Setup (Steps 13–17)
Step 13: Save backup codes for every 2FA-protected account. When you enable 2FA, every major service generates a set of one-time emergency backup codes. Download them and store them in your password manager or a secure physical location. These are your recovery path if you lose your phone or authenticator app — without them, you may be locked out of accounts permanently.
Step 14: Audit third-party app access on your main accounts. Check what apps and services have OAuth access to your Google, Apple, Facebook, or Microsoft account (the "sign in with Google" connections). Revoke any you don't recognize, no longer use, or don't trust. On Google: myaccount.google.com → Security → Third-party apps. On Apple: appleid.apple.com → Sign-In and Security → Apps Using Apple ID.
Step 15: Fix or replace security questions. Many older accounts still use security questions as a recovery method. The answers to common security questions — mother's maiden name, childhood pet, first car — are often easily researchable through social media or public records. Replace these answers with random strings stored in your password manager. The question text is irrelevant; what matters is that the answer cannot be guessed or researched.
Step 16: Verify recovery email and phone on high-value accounts. For each high-value account, confirm the recovery email address and phone number are current and secure. An outdated recovery email pointing to an abandoned address is a serious vulnerability — anyone who gains access to that old inbox can reset your account. Update them to your current secure email.
Step 17: Set up emergency access for your password manager. Password managers including 1Password, Bitwarden, and NordPass support emergency access — a trusted person who can request access to your vault after a configurable waiting period. This ensures your digital life remains accessible to trusted people in a genuine emergency, including medical incapacitation. Configure this once and it requires no ongoing maintenance.
Phase 4: Stay Current (Steps 18–20)
Step 18: Schedule a recurring 6-month audit. Breaches happen continuously and your account inventory grows over time. Set a calendar reminder to re-run Steps 1–2 of this checklist every six months — check HaveIBeenPwned for new exposures and run your password manager's health report. Catching a breach within weeks is far better than discovering it a year later.
Step 19: Keep security apps updated. Your password manager, authenticator app, and operating system all receive security patches regularly. Enable auto-updates, or set a monthly reminder to check for updates manually. A password manager with an unpatched vulnerability is a significant liability.
Step 20: Brief your household. If you share accounts with family members, or work in an environment with shared credentials, the people you share with need baseline security awareness too. A household conversation about phishing recognition and not reusing passwords takes 15 minutes and can prevent the cascade failure that follows one compromised shared account.
Signs Your Audit Is Complete
You've finished when: every high-value account has a unique, manager-stored password; your email and financial accounts have authenticator-based 2FA; you have backup codes for every 2FA setup; your password manager itself is protected with a strong master password and 2FA; and you have a recurring reminder set to re-audit in six months. That's the security posture that makes you an unattractive target compared to the millions of people still running the same password across 80 accounts.
Recommended Tools
To work through this checklist efficiently you'll need a password manager. We recommend NordPass (zero-knowledge encryption, built-in breach scanning, free tier available) or 1Password for family or team use. Use our free password generator whenever this checklist calls for creating a new strong password — it takes one click and gives you a cryptographically random credential you could never create by hand.
Check our full security tools guide for comparisons across password managers, 2FA apps, and identity protection services. For companion reading, see our guide on setting up two-factor authentication and our email security guide.
Recommended next step
See recommended security tools
Use the generator for new credentials, then store them in a manager built for long-term password hygiene.
See recommended security tools →Keep Improving Your Account Security
- Browse the password managers hub for the complete set of related guides.
- The Dangers of Password Reuse: Why Using the Same Password Everywhere Is a Security Disaster
- How to Secure Your Facebook Account: The Complete 2026 Guide
- How to Secure Your Microsoft Account: Passwords, 2FA, and Recovery Options
- How to Create a Strong Password: The Complete Guide for 2026