24 items

Personal Digital Security Audit

Most people's digital security is worse than they think — not because they're careless, but because the defaults are wrong and the risks are invisible until something goes wrong. Work through this audit to close the gaps that matter most, starting with the changes that give you the most protection for the least effort. For more background and examples, see the guidance below; for built-in tools and options, use the quick tools guide.

Author

Checklistify Editorial Team

Last Updated

Checklist Items

0 done•24 left•4 of 5 sections collapsed

Install and configure a password manager before doing anything else.

Bitwarden is free, open-source, and has been independently audited by security researchers — a strong default for most people. 1Password costs around $3 per month and offers a more polished interface with features like Travel Mode, which hides sensitive vaults when crossing international borders. Dashlane and Keeper are solid alternatives. Avoid relying on browser-saved passwords alone: they lack a separate master password, don't audit for reuse, and offer no protection if your browser account is compromised. Once installed, import your browser's saved passwords as a starting inventory — your password manager will immediately flag which ones need to be replaced.

Run your password manager's built-in security audit and review every flagged password.

Bitwarden calls this 'Vault Health Reports'; 1Password calls it 'Watchtower.' Both cross-reference your saved passwords against known breach databases and surface reused or weak credentials. Run the audit immediately after setup. Finding 30, 50, or 80 flagged passwords is not a failure — it's a prioritized to-do list that reflects years of accumulated shortcuts. The audit converts an overwhelming problem into a numbered queue you can work through systematically.

Replace all flagged passwords with long, randomly generated ones — starting with your email account.

Your email account is the master key to your entire digital life: anyone who controls your inbox can trigger password resets on virtually every other service — banking, social media, shopping, work tools. Give it a unique password of at least 20 random characters generated by your manager. Then update banking and any account that stores a payment method. Work through the rest over the following week, roughly 10–15 accounts per session, so it doesn't feel like a single overwhelming task.

Enable two-factor authentication on every account that supports it, working in order of importance.

Priority order: email first, then your password manager itself, then banking and investment accounts, then social media, then everything else. Two-factor authentication means that an attacker who obtains your password still cannot log in without also controlling your second factor — it neutralizes credential stuffing, the most common real-world attack. Most services offer this in their security or account settings, sometimes labeled 'two-step verification' or 'multi-factor authentication.' If an account offers no 2FA option whatsoever, note it and reconsider whether you trust it with sensitive data.

Use an authenticator app for 2FA rather than SMS wherever you have the option.

SMS-based two-factor authentication is vulnerable to SIM-swapping — a social engineering attack where a criminal convinces your carrier to transfer your phone number to a SIM card they control, giving them your codes. Authenticator apps (Authy, Google Authenticator, Aegis on Android) generate codes locally on your device and are not vulnerable to this. Your password manager may include a built-in TOTP generator — convenient, but it creates a single point of failure by combining passwords and authentication codes in one vault. If you make that trade-off, be conscious of it. SMS 2FA is still significantly better than nothing; use app-based whenever the option exists.

Search all your email addresses at Have I Been Pwned (haveibeenpwned.com) to check for known breach exposure.

This service, maintained by security researcher Troy Hunt, indexes publicly disclosed breach datasets from hundreds of incidents. If your email appears in a breach, the associated password — and every site where you reused it — should be treated as compromised and changed immediately. Enable breach notifications so you're alerted automatically to future exposures involving your address. Run this check for every email alias you use, including old forwarded addresses you may have largely abandoned.

Save your 2FA backup codes in a secure offline location immediately after enabling 2FA.

When you enable two-factor authentication, most services generate a set of one-time backup codes for use if you lose access to your authenticator — for instance when your phone is stolen, wiped, or replaced. Most people skip saving these codes and then get permanently locked out of their accounts when their phone changes. Print the codes and store them with important documents, or save them as an encrypted note inside your password manager. Treat them like a physical key to your house: lose them and your only recourse is a long, often humbling account recovery process with the provider's support team.

Verify your account recovery options are current on your email and financial accounts.

Check the backup phone number and recovery email address listed on your most critical accounts. These recovery paths are what an attacker targets first to lock you out permanently — and they're also what you rely on if you're locked out yourself. A recovery email pointing to an address you abandoned years ago is a broken safety net. A backup phone number that hasn't been yours in two years is an active vulnerability. Update both to current, actively monitored information and ensure the recovery email account itself has a strong unique password and its own 2FA.

Enable automatic updates for your operating system, browser, and all regularly used applications.

Security patches close known vulnerabilities. Once a patch is released publicly, the underlying flaw becomes common knowledge — automated attack tools are updated within hours to exploit anyone still running the old version. On Windows: Settings > Windows Update > Advanced Options > enable 'Receive updates for other Microsoft products.' On Mac: System Settings > General > Software Update > enable all automatic options. Also check browser extensions, Adobe products, Zoom, and any other applications separately — they don't always update through the operating system's update manager and are frequently overlooked.

Set a six-digit minimum PIN on your phone, enable biometric unlock, and configure auto-lock after 30–60 seconds.

A four-digit PIN has only 10,000 possible combinations — a determined attacker can cycle through them quickly. Six digits gives 1,000,000. Avoid unlock patterns: the gesture leaves an oil smear on the glass that reveals the path under certain lighting. Biometric unlock (Face ID or fingerprint) is the right method for daily convenience — the underlying PIN is the actual security layer and must be robust. Also configure your screen to lock automatically within 30 to 60 seconds of inactivity. An unlocked phone left unattended for two minutes in a public place grants immediate access to your email, banking apps, authenticator codes, and everything stored on the device.

#10

Set your computer to require a password immediately when the screen locks or the lid closes.

On Mac: System Settings > Lock Screen > set 'Require password' to 'immediately.' On Windows: Settings > Accounts > Sign-in Options > set 'Require sign-in' to 'When PC wakes up from sleep.' A laptop left open in a coffee shop, an office, or an airport lounge for 90 seconds should not provide open access to your files, active browser sessions, and saved credentials. This setting closes that window with a single configuration change.

#11

Confirm full-disk encryption is enabled on your computer.

On Windows: search 'BitLocker' in Settings, or for Home editions, search 'Device Encryption' and look for a status confirming encryption is on. On Mac: System Settings > Privacy & Security > FileVault — if it shows 'On,' you're protected. Disk encryption means a stolen laptop is a hardware loss only. Without it, a thief can remove the drive, connect it to another machine, and read every file on it without ever needing your login password — the operating system's login screen offers no protection against direct hardware access. This is especially important for any laptop that travels.

#12

Audit app permissions on your phone and revoke any that aren't clearly justified by the app's function.

On iPhone: Settings > Privacy & Security. On Android: Settings > Privacy > Permission Manager. Review which apps have access to your location, microphone, camera, contacts, and photos. For each permission ask not 'did I grant this at some point' but 'does this app genuinely need this access to do what I use it for?' A weather app needs location. A flashlight app does not. Location permissions deserve the most attention: look specifically for apps with 'Always On' location access when 'While Using' would be sufficient, and revoke background location from apps you open rarely or that have no obvious need for your whereabouts.

#13

Verify your personal files are backed up in at least two places — one of which is off-site or cloud-based.

Ransomware encrypts all files it can reach on connected drives and demands payment, typically $200–$2,000 for individuals. A backup that is physically disconnected at the time of infection turns a potential catastrophe into a recoverable inconvenience. One solid setup: Time Machine or Windows Backup to an external drive for local backup, plus Backblaze ($9 per month for unlimited storage) or iCloud/Google Drive for off-site redundancy. Critically, do not leave the external drive and computer connected simultaneously if you want ransomware protection — connect the drive, run the backup, then disconnect it.

#14

Log into your router's admin panel, update its firmware, and change the default admin credentials.

Router manufacturers release firmware patches for security vulnerabilities, but routers don't update themselves automatically in most cases. The admin panel is usually accessible at 192.168.1.1 or 192.168.0.1 typed into a browser — check your router's label for the exact address and the factory default credentials. Change the admin username and password from their defaults: default credentials for popular models are publicly documented and trivially searchable. While in the admin panel, confirm your Wi-Fi network uses WPA3 or WPA2 encryption (not WEP, which is cryptographically broken), and ensure the Wi-Fi password itself is both strong and unique.

#15

Open your browser's extension manager and remove any extensions you don't recognize or actively use.

Browser extensions run with elevated privileges — many can read and modify content on every page you visit, including banking and webmail. In Chrome, navigate to chrome://extensions. In Firefox, go to about:addons. For each extension, review its listed permissions: anything claiming to 'read and change all your data on all websites' needs a clear and specific justification. Extensions are also a supply-chain attack target: a legitimate extension gets acquired by a new owner, a malicious update is pushed silently, and millions of users are affected overnight. Remove anything you haven't actively used in the past month.

#16

Migrate all passwords saved in your browser into your password manager, then disable browser password saving.

Most password managers offer a one-click import from Chrome, Firefox, or Safari — verify the passwords appear in the manager before proceeding. Then disable browser saving: in Chrome, Settings > Autofill and passwords > Google Password Manager > toggle off 'Offer to save passwords'; in Firefox, Settings > Privacy & Security > uncheck 'Ask to save logins and passwords.' Browser-saved passwords lack a separate master password by default, don't audit for reuse, and are synchronized in ways that can expose them if your browser account is separately compromised. Your manager's browser extension handles autofill more securely.

#17

Enable HTTPS-only mode in your browser settings.

In Chrome: Settings > Privacy and Security > Security > toggle on 'Always use secure connections.' In Firefox: Settings > Privacy & Security > HTTPS-Only Mode > enable for all windows. In Safari, this is handled automatically for most sites. This setting makes your browser warn you — or refuse to load — any site serving content over unencrypted HTTP. HTTPS encrypts the data exchanged between your browser and the site, which matters especially on shared networks where unencrypted traffic can be read by anyone else on the same connection.

#18

Review and tighten the privacy settings on every social media account you actively use.

Default settings on major platforms are far more permissive than most users realize. Facebook and Instagram default to showing posts publicly; LinkedIn exposes your connections list to anyone; X/Twitter shows your following activity by default. Visit the Privacy or Settings section of each platform and set post visibility to Friends or Followers Only, restrict who can find you by email address or phone number, and disable profile indexing by search engines where the option exists. These settings also tend to quietly reset after major platform updates — schedule this review annually, not just once.

#19

Audit and revoke third-party apps connected to your social media and Google accounts.

These are apps you authorized by clicking 'Log in with Facebook' or 'Sign in with Google.' Find Facebook's list at Settings > Security > Apps and Websites. Find Google's at myaccount.google.com > Security > Third-party apps with account access. The list is typically far longer than expected — quiz apps, games, event platforms, and services from years ago with some level of access to your profile data. Revoke anything you don't recognize or no longer use. For apps you do still use, check what permissions they were granted and revoke any that exceed what the app actually needs.

#20

Close old accounts on services you no longer actively use.

Dormant accounts are disproportionately valuable to attackers: they typically have weak passwords, no 2FA, and are linked to an email address you check infrequently — meaning a takeover can go undetected for months while the account is used for spam, fraud, or credential testing. To find the deletion page for any service quickly, use JustDeleteMe (justdeleteme.xyz), which lists deletion instructions for over 1,000 services. If an account cannot be fully deleted, at minimum set a unique randomly generated password, remove any stored payment methods and personal information, and revoke all connected third-party apps.

#21

Search your name and primary email address online to understand what's publicly visible about you.

Use Google and Bing to search your full name, your name combined with your city, and your email address. Also run your email through a people-search aggregator such as Spokeo or WhitePages to see what a stranger could find in five minutes. Data broker sites collect and sell personal information — home address, phone number, relatives' names, income estimates — often without your knowledge. Most offer opt-out processes, but each broker must be contacted separately. Services like DeleteMe ($129 per year) automate removal across dozens of brokers. This step tells you what's already out there and helps calibrate whether deeper privacy measures are warranted.

#22

Understand the actual risks of public Wi-Fi and apply proportionate precautions.

Most modern websites use HTTPS, which encrypts the content of your data even on an untrusted network — public Wi-Fi is less dangerous than its reputation for normal browsing. What it can expose: which sites you visit via unencrypted DNS queries, which services you're connected to, and any data sent over unencrypted HTTP connections. A VPN encrypts your traffic including DNS queries, making it useful if you regularly use public networks for sensitive work. You do not need a VPN on your own secured home network. If you choose one, prefer a reputable paid service: Mullvad ($5/month) and ProtonVPN both have strong independent privacy reputations. Free VPNs typically monetize your browsing data, which defeats the purpose entirely.

#23

Apply a four-question test to any email requesting urgent action before clicking anything in it.

Question one: Did I initiate this contact, or did it arrive unsolicited? Legitimate services rarely send urgent unsolicited emails demanding immediate action. Question two: Does the sender's actual email domain — the part after the @ symbol, not the display name — match the organization it claims to represent? Attackers register domains like 'paypa1.com' or 'amazon-security-notice.net.' Question three: Is it manufacturing artificial urgency, such as 'your account will be permanently suspended in 24 hours'? Urgency is a manipulation technique designed to short-circuit careful thinking. Question four: Is it asking you to click a link to log in? Open a new browser tab and navigate directly to the service instead. If three or more answers are suspicious, delete the email without clicking anything.

#24

Who is actually coming for your accounts?

The mental image most people carry of a cyberattack — a skilled individual who has identified and targeted them specifically — describes a vanishingly small fraction of real incidents. The overwhelming majority of account compromises happen through automation: bots that test breached username-password pairs across hundreds of services simultaneously, tools that continuously scan the internet for unpatched software, and phishing campaigns blasted to millions of addresses with no specific target in mind. You are not being hunted. You are being swept. The practical implication matters: you don't need to be impenetrable. You need to be harder to compromise than the millions of people who have done nothing. A relatively modest set of precautions — the kind this audit covers — moves you out of the swept population entirely.

📖 The 47-minute account takeover

A security researcher documented a case where a single breached credential cascaded into complete loss of control across an entire digital life — in under an hour. The attacker found a password in a breach dataset from a defunct gaming forum. That same password opened a secondary email account. From the secondary email, a password reset was triggered on the victim's primary Gmail. With Gmail access came access to the password manager's recovery email. From there, every stored credential became reachable. The original forum breach had occurred three years earlier. The victim had no indication anything was wrong until their bank called about an unrecognized wire transfer. Every link in that chain — the reused credential, the unmonitored secondary account, the unreviewed recovery settings — is something this audit directly addresses.

🔒 Security vs. Privacy — the difference matters

Security means preventing unauthorized access to your accounts and devices. The threat is external actors — bots and criminals. Failures are immediate and concrete: locked accounts, stolen funds, identity fraud that can take months to unravel.

👁️ Privacy is a different problem

Privacy means controlling what data companies collect about you and how they use it. The threat is data brokers, advertisers, and permissive platform terms. Failures are diffuse and invisible — profiles built silently over years, data sold without your knowledge, micro-targeting based on accumulated behavior.

This audit addresses both, but they operate on different timescales. A security failure can drain a bank account this week. A privacy failure compounds quietly over years and is rarely reversible once the data has been collected and sold.

🚨 If something has already gone wrong

This audit is proactive — but if you're reading it because you've already noticed something suspicious, here is the triage sequence. First: change your email password immediately from a device you trust, and in your email's security settings, revoke all active sessions to log out anyone currently inside. Second: contact your bank, flag recent transactions you don't recognize, and ask for a temporary card lock. Third: check whether the recovery phone number or backup email on the compromised account has been changed — attackers modify recovery information first, to prevent you from regaining access. Fourth: run a malware scan on the affected device using Malwarebytes Free before trusting it again for sensitive tasks. Fifth: file a report with your national cybercrime reporting agency — prosecution is unlikely, but the report can support insurance claims or help dispute fraudulent charges with financial institutions.

💡 The technology replacing passwords

Passkeys are a newer authentication standard now supported by Apple, Google, Microsoft, and a growing list of websites. Instead of a password, you authenticate by approving a request with the same biometric — Face ID or fingerprint — you already use to unlock your device. Passkeys are immune to phishing by design: they are cryptographically bound to the exact domain they were registered on, so a convincing fake login page cannot capture or replay the authentication signal. They are also immune to breach exposure, because the site never stores the secret portion. If a service you use offers a 'Create a Passkey' option in its security settings, create one — it is simultaneously more secure and more convenient than any password. The directory at passkeys.directory lists services that currently support them.

🔑 When software 2FA isn't enough

For most people, an authenticator app represents an excellent security ceiling. For specific high-risk profiles — journalists protecting sources, executives targeted by corporate espionage, activists operating in adversarial environments, or anyone who has already been compromised once — a hardware security key provides a category of protection that software cannot replicate. A hardware key (YubiKey is the most widely supported brand, starting at $25–$45) is a physical USB or NFC device you tap to authenticate. Its defining advantage: it is cryptographically bound to the specific domain it was registered on. A sophisticated phishing kit can intercept a software-based 2FA code in real time and immediately replay it — hardware keys cannot be exploited this way, because the authentication signal is device-specific and non-replayable. Hardware keys are supported by Google, Microsoft, GitHub, Cloudflare, and many other services via the FIDO2/WebAuthn standard.

📅 When to re-run this audit

An annual review catches configuration drift and newly discovered attack surfaces. But certain life events warrant an immediate, unscheduled re-check regardless of timing:

→You leave a job — revoke access to any work tools linked to personal accounts, and change passwords that a colleague may have known or encountered
→A relationship ends where the other person knew your passwords or had physical access to your devices
→A service you use announces a data breach — verify whether 2FA was enabled on that account, change the password, and review recent account activity for anything unrecognized
→You get a new phone or computer — verify encryption and backup are properly configured before migrating your data to the new device
→You receive a new sign-in notification from an unrecognized location — treat it as real until you have confirmed otherwise directly within the app, not by clicking a link in the notification email

💡 Why good security habits don't stick — and how to make them

Security fatigue is well-documented in behavioral research: people adopt strong practices after a scare or a formal audit, then gradually revert as fear fades and friction accumulates. The most durable security setups are the ones that reduce daily friction rather than add to it. A password manager, done correctly, makes logging in faster than typing a memorized password. Biometric unlock on your phone is more convenient than a PIN. The setup cost is front-loaded; the ongoing cost is close to zero. If a security step feels so annoying that you keep skipping it, the implementation needs to be redesigned — not the goal abandoned. The practical target is not maximum theoretical security. It is the highest level of protection you will actually maintain six months from now.

Master This Checklist Quickly

Every important button and option for this pre-made checklist, shown in a glance-friendly format.

Start Here

1
Click any item row to mark it complete.
2
Use the note row under each item for quick notes.
3
Use the tool row for undo, redo, reset, and check all.
4
Use Save Progress when you want to continue later.

Checklist Row Tools

UndoRedoResetCheck allCollapse/Expand sectionsShow/Hide detailsInline notes

Top Action Buttons

Open all sharing and export options in one menu.

Email DraftContinue on another devicePrint or Save as PDFPlain Text (.txt)Word (.docx)Excel (.xlsx)

Add & Ask

Open one menu for apps and AI guidance.

NotionTodoist CSVChatGPTClaude

Copy and customize

Create a new editable checklist pre-filled with your chosen content.

Save Progress

Adds this checklist to My Checklists and keeps your progress in this browser.

Most Natural Usage

Track over time

Check items -> Add notes where needed -> Save Progress

Send or export

Open Share -> Choose format -> Continue

Make your own version

Copy and customize -> Open create page -> Edit freely