Why Audit Your Passwords
The average person has 100+ online accounts. Over the years, you've likely accumulated weak passwords, reused the same password across multiple sites, and been caught in data breaches without knowing it.
A password audit identifies your weakest credentials so you can fix them before attackers exploit them.
Step 1: Use Your Password Manager's Health Tool
Every major password manager has a built-in audit feature:
- Bitwarden: Reports > Vault Health Reports (exposed passwords, reused, weak)
- 1Password: Watchtower (compromised, weak, reused, 2FA eligible)
- Dashlane: Password Health (score out of 100, categorized issues)
- Proton Pass: Pass Monitor (dark web alerts, weak password detection)
Run this report now. It takes 30 seconds and shows you exactly where your risks are.
Step 2: Check Have I Been Pwned
Visit haveibeenpwned.com and enter each of your email addresses. This free service checks your email against every known data breach. You'll likely find breaches you didn't know about.
For each breach found:
- Change the password on that service immediately
- If you reused that password elsewhere, change it on those sites too
- Enable 2FA on the breached account
Step 3: Fix the Worst Offenders First
Prioritize in this order:
- Breached passwords — These are in the hands of attackers. Change immediately
- Reused passwords — One breach exposes all accounts sharing that password
- Weak passwords — Short, simple, or dictionary-word passwords
- Accounts without 2FA — Even strong passwords can be phished
Step 4: Generate New Passwords
For each password you replace:
- Use your password manager's generator
- Set length to 20+ characters
- Include uppercase, lowercase, numbers, and symbols
- Let the password manager auto-save the new credential
- Never try to memorize generated passwords — that's the manager's job
Step 5: Enable 2FA on Everything
While you're auditing, enable 2FA on every account that supports it. Your password manager may show which accounts offer 2FA but don't have it enabled.
Step 6: Delete Unused Accounts
Old, forgotten accounts are liabilities. If you haven't used a service in over a year:
- Log in one last time
- Delete or deactivate the account
- Remove it from your password manager
Services like justdelete.me provide direct links to account deletion pages for hundreds of services.
Make It a Habit
Set a quarterly calendar reminder to:
- Run your password manager's health report
- Check haveibeenpwned.com for new breaches
- Replace any flagged passwords
- Review and remove unused accounts
How We Verified
Audit workflows tested with Bitwarden, 1Password, and Dashlane current versions. Have I Been Pwned verified as accurate against known breach databases. Recommendations based on NIST SP 800-63B. April 2026.
Related Guides
10 Secure Browsing Habits Every Remote Worker Should Build (2026)
Simple daily habits that dramatically reduce your risk. HTTPS checking, URL verification, download safety, and more.
Sarah ChenSecure Job Searching: Protect Your Privacy While Looking for Work (2026)
Job searching exposes your personal data to recruiters, job boards, and potential scammers. How to search safely while protecting your identity.
Sarah ChenVPN for Accountants & CPAs: Protect Financial Client Data (2026)
Accountants handle the most sensitive financial data. VPN setup for tax season security, client portal access, and IRS compliance.
Sarah ChenWas this guide helpful?
Advertisement
Ready to Get Protected?
Take the next step in securing your remote work setup.
Sources & Citations
- 1Have I Been Pwned — haveibeenpwned.com
- 2NIST SP 800-63B: Digital Identity Guidelines