How to Audit Your Passwords and Fix Them in Under an Hour
Most people have accumulated years of passwords — some strong, many not, and almost certainly some reused across multiple sites. An audit does not need to be exhaustive to be worthwhile. Fixing the ten most important accounts takes under an hour and significantly reduces your exposure.
Signs you need a password audit
You probably already know the answer, but here are the specific warning signs:
- You use the same password (or a minor variation) on more than one site
- Any of your passwords are based on personal information — a name, date, place
- You have passwords shorter than 12 characters
- You have not changed a password since a breach notification from a service you use
- Your email password is the same as anything else
- You cannot tell, off the top of your head, what your current email password is (suggesting it is autofilled but never consciously reviewed)
If any of these apply, an audit is worth doing. It does not mean everything needs to change at once — triaging the highest-risk accounts first is perfectly valid.
Step 1: Find all your accounts
Build your account inventory
Search your email inbox for the phrases "verify your email," "welcome to" and "account created." This surfaces almost every account you have ever registered. Also check your browser's saved passwords: in Chrome, go to chrome://password-manager/passwords; in Safari, open Settings → Passwords; in Firefox, open Privacy & Security → Saved Logins. Compile a rough list — you do not need to be exhaustive, just to identify the accounts that matter.
Step 2: Check for known breaches
Check Have I Been Pwned
Go to haveibeenpwned.com and enter your email address. The site maintains a database of billions of credentials from known breaches. It will tell you which services you use have been compromised and what types of data were exposed. Any service listed there should be treated as a priority — assume the credentials are known to attackers, even if you have not noticed unusual activity.
Step 3: Check the strength of what you have
Test existing passwords
For any password you want to evaluate without changing immediately, use a password strength checker. Paste it in and check the entropy score and rating. Any password rated "Weak" or "Fair" on an account you care about should be on your replacement list. Focus particularly on email, banking, social media and anything with your payment details saved.
Step 4: Generate replacements
Replace weak and reused passwords
Work through your priority list from highest to lowest risk. For each account, generate a new random password (16 characters minimum, 20+ for high-value accounts), update the account and save the new credential. If you are dealing with many accounts at once, the bulk generator can produce up to 50 unique passwords in a single click, which you can then assign to accounts one by one as you update them.
Step 5: Set up a password manager
Store them somewhere secure
An audit is only as good as your ability to keep the new passwords organised. A password manager (Bitwarden is free and open source, 1Password is excellent and paid) encrypts your credentials and fills them in automatically. Set one up, import or add your credentials and install the browser extension. This is what prevents the problem recurring — you will never need to memorise another password or reuse one because you cannot think of something new.
Step 6: Enable two-factor authentication
Add a second layer to your most important accounts
Start with email and your password manager, then work through banking, social media and work accounts. Use an authenticator app (Google Authenticator, Authy or similar) rather than SMS where available — it is significantly more resistant to interception. This takes two to three minutes per account and provides meaningful additional protection even if a password is later compromised.
Ongoing hygiene
Once you have completed an audit and set up a password manager, maintaining good hygiene is much less effort. A few practices worth keeping:
- Generate a new random password for every new account you create — never reuse
- Check Have I Been Pwned periodically, or sign up for breach notifications
- When a service sends a breach notification, change that password within 24 hours
- Review your password manager's weak password and reuse reports occasionally — most managers flag these automatically
You do not need to change passwords on a fixed schedule. NIST explicitly discourages mandatory periodic rotation unless there is evidence of compromise. The goal is unique, strong, random passwords stored securely — once you have that in place, the maintenance effort is minimal.
Check strength, then generate replacements
Paste an existing password into the strength checker to see where it stands. Then generate a strong replacement — or use the bulk generator if you have a lot to change at once.
Strength Checker Password Generator Bulk GeneratorThis guide is for general informational purposes. If you believe your accounts are actively compromised or you are dealing with identity theft, contact the relevant services and seek professional advice.