PasswordCrunch.com
Password Security · 7 min read

How to Audit Your Passwords and Fix Them in Under an Hour

Most people have accumulated years of passwords — some strong, many not, and almost certainly some reused across multiple sites. An audit does not need to be exhaustive to be worthwhile. Fixing the ten most important accounts takes under an hour and significantly reduces your exposure.

Signs you need a password audit

You probably already know the answer, but here are the specific warning signs:

If any of these apply, an audit is worth doing. It does not mean everything needs to change at once — triaging the highest-risk accounts first is perfectly valid.

Step 1: Find all your accounts

Step 1 · ~10 minutes

Build your account inventory

Search your email inbox for the phrases "verify your email," "welcome to" and "account created." This surfaces almost every account you have ever registered. Also check your browser's saved passwords: in Chrome, go to chrome://password-manager/passwords; in Safari, open Settings → Passwords; in Firefox, open Privacy & Security → Saved Logins. Compile a rough list — you do not need to be exhaustive, just to identify the accounts that matter.

Step 2: Check for known breaches

Step 2 · ~5 minutes

Check Have I Been Pwned

Go to haveibeenpwned.com and enter your email address. The site maintains a database of billions of credentials from known breaches. It will tell you which services you use have been compromised and what types of data were exposed. Any service listed there should be treated as a priority — assume the credentials are known to attackers, even if you have not noticed unusual activity.

Step 3: Check the strength of what you have

Step 3 · ~10 minutes

Test existing passwords

For any password you want to evaluate without changing immediately, use a password strength checker. Paste it in and check the entropy score and rating. Any password rated "Weak" or "Fair" on an account you care about should be on your replacement list. Focus particularly on email, banking, social media and anything with your payment details saved.

Step 4: Generate replacements

Step 4 · ~20 minutes

Replace weak and reused passwords

Work through your priority list from highest to lowest risk. For each account, generate a new random password (16 characters minimum, 20+ for high-value accounts), update the account and save the new credential. If you are dealing with many accounts at once, the bulk generator can produce up to 50 unique passwords in a single click, which you can then assign to accounts one by one as you update them.

Step 5: Set up a password manager

Step 5 · ~15 minutes

Store them somewhere secure

An audit is only as good as your ability to keep the new passwords organised. A password manager (Bitwarden is free and open source, 1Password is excellent and paid) encrypts your credentials and fills them in automatically. Set one up, import or add your credentials and install the browser extension. This is what prevents the problem recurring — you will never need to memorise another password or reuse one because you cannot think of something new.

Step 6: Enable two-factor authentication

Step 6 · as time allows

Add a second layer to your most important accounts

Start with email and your password manager, then work through banking, social media and work accounts. Use an authenticator app (Google Authenticator, Authy or similar) rather than SMS where available — it is significantly more resistant to interception. This takes two to three minutes per account and provides meaningful additional protection even if a password is later compromised.

Ongoing hygiene

Once you have completed an audit and set up a password manager, maintaining good hygiene is much less effort. A few practices worth keeping:

You do not need to change passwords on a fixed schedule. NIST explicitly discourages mandatory periodic rotation unless there is evidence of compromise. The goal is unique, strong, random passwords stored securely — once you have that in place, the maintenance effort is minimal.

Start now

Check strength, then generate replacements

Paste an existing password into the strength checker to see where it stands. Then generate a strong replacement — or use the bulk generator if you have a lot to change at once.

Strength Checker Password Generator Bulk Generator

This guide is for general informational purposes. If you believe your accounts are actively compromised or you are dealing with identity theft, contact the relevant services and seek professional advice.