Skip to main content

    Most people have over 100 online accounts, and many use weak or reused passwords. A security audit helps you identify vulnerabilities and fix them before hackers do. This guide walks you through a complete account security review—the same process security professionals use to protect their own digital lives.

    Why Audit Your Accounts?

    Data breaches happen constantly. In 2024 alone, billions of credentials were exposed in various breaches affecting companies of all sizes. If you've reused passwords or used weak ones, your accounts may already be compromised without your knowledge.

    The average data breach takes 277 days to identify and contain, according to IBM's Cost of a Data Breach Report. That's nearly a year during which attackers have access to stolen credentials. By the time you hear about a breach, criminals have had months to exploit it.

    A security audit helps you:

    • Find and fix weak or reused passwords before they're exploited
    • Identify accounts without two-factor authentication
    • Remove unnecessary accounts that increase your attack surface
    • Update recovery information to prevent lockouts
    • Review third-party app permissions that may have excessive access
    • Discover accounts you'd forgotten about (which are often the most vulnerable)

    Think of it like a health checkup for your digital life. You may not have symptoms, but early detection prevents serious problems.

    Step 1: List All Your Accounts

    Start by creating a comprehensive list of your online accounts. This is often eye-opening—most people significantly underestimate how many accounts they have. Check these sources:

    • Password manager: If you use one, export your saved entries
    • Browser saved passwords: Check Chrome, Firefox, Safari password settings
    • Email inbox: Search for "welcome," "registration," "confirm your account"
    • App stores: Review installed apps that require accounts
    • Subscription services: Check your credit card statements for recurring charges

    Categorize accounts by importance:

    • Critical: Email, banking, government services, password manager, primary social media
    • Important: Shopping sites with saved payment methods, streaming services, work accounts
    • Low priority: Forums, one-time registrations, newsletters, old accounts

    This categorization helps you prioritize—start with critical accounts and work your way down. Don't try to fix everything at once; focus on the highest-risk accounts first.

    Step 2: Check for Compromised Credentials

    Use services like Have I Been Pwned (haveibeenpwned.com) to check if your email addresses appear in known data breaches. This free service aggregates breach data and tells you exactly which breaches exposed your information.

    Many password managers also include breach monitoring. 1Password, Bitwarden Premium, and Dashlane all check your saved passwords against known breach databases and alert you to compromised credentials.

    If any credentials are compromised:

    • Change that password immediately, even if you haven't noticed suspicious activity
    • If you've reused that password elsewhere (be honest), change it on all those sites too
    • Enable 2FA on the compromised account if you haven't already
    • Review the account's activity log for any unauthorized access

    Use our Password Strength Checker to evaluate your existing passwords without sending them anywhere—everything runs locally in your browser.

    Step 3: Strengthen Weak Passwords

    Replace any passwords that are:

    • Shorter than 12 characters: Modern cracking can break 8-character passwords in hours
    • Used on multiple accounts: Password reuse is the #1 way breaches cascade
    • Based on personal information: Birthdays, names, addresses, pet names are easily guessed
    • Common dictionary words: Even with substitutions like "p@ssw0rd"
    • Found in breach databases: These are the first passwords attackers try
    • Following predictable patterns: Capital letter at start, numbers at end, single symbol

    Generate strong replacements with our Password Generator. For memorable passwords you'll need to type regularly, try our Passphrase Generator.

    Save every new password in your password manager immediately after changing it. Don't rely on memory, browser storage, or—please—sticky notes.

    Step 4: Enable Two-Factor Authentication

    Two-factor authentication (2FA) adds a crucial second layer of security. Even if someone steals your password, they can't access your account without the second factor. According to Microsoft, enabling 2FA blocks 99.9% of automated attacks.

    Priority order for enabling 2FA:

    1. Email accounts — these are used to reset other passwords; compromise here cascades everywhere
    2. Password manager — protects all your other passwords
    3. Financial accounts — banking, investment, payment apps, cryptocurrency
    4. Primary social media — often used for "Login with Facebook/Google"
    5. Cloud storage — may contain sensitive documents and backups
    6. Work accounts — protect professional data and reputation
    7. Shopping sites with saved payment methods — prevent fraudulent purchases

    Prefer authenticator apps or hardware keys over SMS when possible. SMS 2FA is still better than nothing, but it's vulnerable to SIM-swapping attacks. Read our Complete Guide to Two-Factor Authentication for detailed setup instructions and method comparisons.

    Critical: When you enable 2FA, save your backup codes immediately. Store them in your password manager or a secure physical location. Without backup codes, losing your phone means losing access to your accounts.

    Step 5: Review Recovery Options

    Outdated recovery email addresses or phone numbers can lock you out of your own accounts—or give attackers a way in. An old phone number you no longer control could be reassigned to someone who can then reset your passwords.

    For each important account, verify:

    • Recovery email addresses: Current and secured with strong passwords + 2FA
    • Phone numbers: Updated if you've changed carriers or numbers
    • Backup codes: Stored securely and accessible if needed
    • Trusted devices: Remove old devices you no longer own
    • Security questions: Answers aren't publicly discoverable (mother's maiden name is often on ancestry sites)
    • Trusted contacts: For services like Facebook that allow recovery through friends

    Step 6: Audit Connected Apps

    Over time, you've probably authorized many third-party apps to access your accounts through OAuth ("Sign in with Google/Facebook"). Some of these apps may no longer exist, may have been sold to new owners, or may have had security breaches themselves.

    Review and revoke access for:

    • Apps you no longer use or recognize
    • Apps with more permissions than they need (why does a game need to read your contacts?)
    • Apps that haven't been updated in years
    • Apps from companies you no longer trust

    Check these locations:

    • Google: myaccount.google.com → Security → Third-party apps with account access
    • Facebook: Settings → Apps and Websites
    • Apple: appleid.apple.com → Sign-In & Security → Apps Using Apple ID
    • Microsoft: account.microsoft.com → Privacy → Apps and services
    • Twitter/X: Settings → Security → Apps and sessions

    Step 7: Delete Unused Accounts

    Every account is a potential entry point for attackers. Dormant accounts are especially dangerous—you won't notice if they're compromised, and they often have weak, outdated passwords.

    For accounts you no longer need:

    • Delete entirely: Use services like JustDelete.me to find account deletion pages
    • Remove personal data: If you can't delete, replace real information with fake data
    • Disconnect from other accounts: Remove OAuth connections before deleting
    • Request data export first: Many services offer data download before deletion

    Some services make deletion deliberately difficult. Be persistent. Under GDPR and CCPA, you have legal rights to have your data deleted from most services.

    Creating an Audit Schedule

    Security isn't a one-time task. Set calendar reminders for ongoing maintenance:

    • Monthly: Check for breach notifications, review security alerts
    • Quarterly: Review connected apps and permissions, check password manager health reports
    • Annually: Full account audit following this guide
    • Immediately: After any breach notification, suspicious activity, or news of a major breach

    Tools to Help

    A password manager simplifies ongoing security dramatically. Most include:

    • Automatic strong password generation
    • Breach monitoring for saved credentials
    • Password health reports identifying weak or reused passwords
    • Secure sharing for family or team accounts
    • Secure notes for sensitive information

    Read our Password Manager Guide to choose the right one for your needs.

    type html> SecureTools — Privacy-First Security Utilities