SecurePass← All Articles
Best Practices8 min readMay 12, 2026

Password Security Audit Checklist: 20 Steps to Harden Every Account You Own

Most people have dozens of accounts with weak, reused, or outdated passwords — and don't know it. This step-by-step audit checklist walks you through finding and fixing every weak point in your password security, from credential stuffing exposure to emergency access planning.

Why You Need a Password Audit

The average person has over 80 online accounts. Most of those were created years ago with whatever password-creation habits existed at the time — which for most people means variations on the same base password, with predictable substitutions (p@ssw0rd, for example). That approach has been systematically broken by large-scale data breaches: billions of leaked credential pairs are freely available to attackers, who run them against every major site automatically.

A password security audit doesn't take as long as it sounds. Most of the work below is one-time setup that pays forward indefinitely. This checklist is organized by priority — start at the top and work down.

Phase 1: Understand Your Exposure (Steps 1–5)

Step 1: Check if your email has been in a breach. Go to HaveIBeenPwned.com and enter each email address you use. If your address appears in a breach, every account that used that email + password combination is at risk — even if the account wasn't the one breached.

Step 2: Check your password manager's breach report. If you use NordPass, 1Password, Bitwarden, or similar tools, open the built-in breach/health report. These tools cross-reference your stored passwords against known breach databases and flag reused, weak, or compromised ones. If you don't have a password manager yet, step 6 covers that.

Step 3: List your high-value accounts. Write down or mentally catalogue your most critical accounts: primary email, secondary email, bank accounts, brokerage, PayPal/Venmo, Apple ID or Google account, work email, and your password manager itself. These get audited first.

Step 4: Find accounts that share a password. Reused passwords are the #1 reason a single breach cascades into complete account takeover. If your Netflix password is the same as your bank password, and Netflix gets breached, your bank is compromised too. Search your password manager or email history to identify accounts using the same password.

Step 5: Locate accounts you no longer use. Old accounts you've forgotten about still carry risk — especially if they share a password with active accounts. Search your email inbox for "welcome" or "verify your email" to surface accounts you created and forgot. Consider deleting accounts you no longer need.

Phase 2: Fix the Foundations (Steps 6–12)

Step 6: Set up a password manager if you don't have one. This is the single highest-ROI security action available. A password manager lets you use a unique, strong password for every account without memorizing any of them. NordPass has a solid free tier with zero-knowledge encryption. 1Password is excellent for families and teams. Bitwarden is free and open source.

Step 7: Generate a strong master password. Your password manager's master password protects everything else, so it needs to be genuinely strong — at least 16 characters, random, not based on any word or phrase you've used elsewhere. Use our free password generator to create one, write it down and store it somewhere physically secure (like a locked drawer), and memorize it over the next few days.

Step 8: Change your high-value account passwords first. Start with the list from Step 3. Use your password manager to generate a new unique password for each one (16+ characters, random). Don't try to make them memorable — that's what the password manager is for.

Step 9: Enable 2FA on your primary email. Your email account controls recovery for everything else. A strong password isn't enough — add a second factor. Use an authenticator app (not SMS, which is vulnerable to SIM swapping) for any account with financial value. Microsoft Authenticator and Google Authenticator are both solid choices.

Step 10: Enable 2FA on your password manager. Every major password manager supports 2FA. Enable it now — if someone gets your master password, 2FA is what stops them from accessing all your other credentials.

Step 11: Enable 2FA on financial accounts. Bank, brokerage, PayPal — enable authenticator-based 2FA on all of them. Some banks still only offer SMS 2FA; it's better than nothing, but push for app-based when available.

Step 12: Change all reused passwords. Return to the reuse list from Step 4 and systematically replace every shared password with a unique generated one. This is tedious but only needs to happen once.

Phase 3: Harden the Setup (Steps 13–17)

Step 13: Save backup codes for every 2FA account. Every major service gives you one-time backup codes when you enable 2FA. Download them and store them in your password manager or a secure physical location. This is your lifeline if you lose your phone.

Step 14: Audit social media account settings. Check what apps and services have access to each social account via OAuth (the "sign in with Google/Facebook" connections). Revoke anything you don't recognize or no longer use. On Google: myaccount.google.com → Security → Third-party apps.

Step 15: Check your security questions. Many older accounts still use security questions as a recovery method. The answers are often easily guessable or researchable. If you can't disable them, replace the answers with random strings and store them in your password manager.

Step 16: Review your recovery email and phone. For each high-value account, verify that the recovery email and phone number are current and secure. An attacker who controls your recovery email controls your account.

Step 17: Set up an emergency access contact. Some password managers (including 1Password and Bitwarden) support emergency access — a trusted person who can request access to your vault after a waiting period you set. This ensures your digital accounts are accessible in a true emergency.

Phase 4: Stay Current (Steps 18–20)

Step 18: Set a calendar reminder to re-run this audit every 6 months. Breaches happen continuously. Running HaveIBeenPwned and your password manager's health report twice a year catches exposure before it becomes a problem.

Step 19: Keep your password manager and authenticator app updated. Security apps receive patches for vulnerabilities. Enable auto-updates, or manually check for updates monthly.

Step 20: Brief anyone who shares accounts with you. If you share streaming accounts, family logins, or work credentials with others, they need to understand basic phishing awareness and not reuse passwords. A household security conversation takes 15 minutes and can prevent real damage.

Recommended Tools

To work through this checklist efficiently, you'll need a password manager. We recommend NordPass (zero-knowledge encryption, free tier available) or 1Password for family or team use. Use our free password generator whenever you need to create a new strong password during the audit.

See our full security tools guide for more recommendations.

#password audit#account security#checklist#security hygiene#password manager

🔒 Generate a Strong Password Now

Use our free tool to create cryptographically secure passwords for all your accounts.

Try the Password Generator →
← Back to all articles