Most people know they should be doing more about their digital security. What they lack is a concrete, structured way to assess where they actually stand — not in theory, but in the specific accounts, devices, and habits that make up their actual digital life. The result is a vague awareness of risk without a clear starting point for addressing it.
This guide changes that. It is a personal digital security audit: a structured review of the areas that matter most, with specific things to check and specific actions to take. It does not require technical expertise. It does not require buying anything. It requires a couple of hours, a device, and the willingness to go through each section systematically.
According to the FBI’s Internet Crime Complaint Center, the average person is now facing a cybercrime attempt roughly every 38 seconds in the United States. Cybercrime losses hit a record $16.6 billion in 2024. The overwhelming majority of successful attacks exploit predictable, preventable vulnerabilities — weak passwords, missing 2FA, unreviewed account access. An afternoon spent on this audit addresses all of them.
Do this once a year at minimum. Many security professionals recommend doing a lighter version quarterly.
Section 1: Password Health — 30 Minutes
This is typically where the most significant vulnerabilities are found and where the most immediate improvements can be made.
Check for reused passwords. Open your password manager if you use one — most modern managers have a built-in password health or security dashboard that identifies reused passwords across accounts. If you use a browser’s built-in password storage, Chrome and Safari both have password checkup features that flag reused credentials. In Chrome, go to passwords.google.com → Check passwords. In Safari on iPhone, go to Settings → Passwords and look for security recommendations.
Identify your most critical accounts and verify their passwords. Your most critical accounts are, in order: your primary email address (the one linked to most other accounts), your banking and financial services, your primary social media accounts, your password manager itself if you use one, and any account linked to your payment information. Each of these should have a password that is unique, at least 16 characters long, and not used anywhere else.
Check HaveIBeenPwned. Go to haveibeenpwned.com and enter every email address you use regularly. For any that appear in breach results, change the passwords on those accounts immediately, and anywhere else you used the same password.
Action items from this section: Change any reused passwords on critical accounts. Change any passwords that appeared in breach results. Set up a password manager if you do not have one — Bitwarden is free and a reliable starting point.
Section 2: Two-Factor Authentication — 20 Minutes
Two-factor authentication is one of the highest-impact security improvements available to ordinary users, and it is consistently underused. According to Microsoft, it blocks approximately 96% of bulk phishing attacks. Yet surveys consistently show that a majority of people have not enabled it on their most important accounts.
Check your email account. Go to the security settings of your primary email provider. If 2FA is not enabled, enable it now using an authenticator app rather than SMS if the option is available. Gmail: myaccount.google.com → Security → 2-Step Verification. Outlook: account.microsoft.com → Security → Advanced security options.
Check your financial accounts. Log into your bank’s online portal and look for security settings. Most major banks now support authenticator apps in addition to SMS codes. Enable 2FA on any financial account that supports it.
Check your social media accounts. Facebook: Settings → Security and Login → Two-Factor Authentication. Instagram: Settings → Accounts Center → Password and Security → Two-Factor Authentication. If you use other platforms, check their security settings individually.
Save backup codes. During any 2FA setup, you will be offered backup codes — typically 8 to 10 single-use codes that allow you to access the account if you lose your phone. Print these and store them somewhere physically secure. Do not store them in a digital note on the same device you use to log in.
Action items from this section: Enable 2FA on email, banking, and social media accounts. Store backup codes securely. Upgrade from SMS to authenticator app where possible.
Section 3: Third-Party App Access — 15 Minutes
Over time, you have authorized dozens of applications to access your most important accounts — quizzes, productivity tools, apps that use “Sign in with Google,” games, and services you no longer remember. Each represents a persistent access point that continues to exist even after you stop using the app.
Audit your Google account. Go to myaccount.google.com → Security → Your connections to third-party apps and services. Review every listed app. For each one, ask: do I still use this actively? Does it genuinely need the access it has? Revoke anything you do not recognize or no longer use.
Audit your Microsoft/Outlook account. Go to account.microsoft.com → Privacy → Apps and services. Apply the same review.
Audit your social media accounts. On Facebook: Settings → Security and Login → Apps and Websites. On Twitter/X: Settings → Security and account access → Connected apps. Revoke anything you do not actively use.
Pay particular attention to apps with broad permissions. An app with “Read, compose, send, and delete all your email” has effectively the same access to your inbox that you do. Only applications you actively use and explicitly trust should hold permissions at that level.
Action items from this section: Revoke access for all unrecognized or unused third-party apps across email and social media accounts.
Section 4: Device Security — 20 Minutes
Your devices are the physical endpoints of your digital life, and their security affects everything that runs through them.
Check that automatic updates are enabled on all devices. On Windows: Settings → Windows Update → enable automatic updates. On macOS: System Settings → General → Software Update → enable automatic updates. On iPhone: Settings → General → Software Update → Automatic Updates → enable both toggles. On Android: Settings → System → System Update. Also enable automatic app updates on mobile devices.
Verify that your devices have active screen locks. Every device you own should require a PIN, password, or biometric to unlock after a short period of inactivity. Set the auto-lock timeout to 60 seconds or less on phones. On computers, enable a screensaver with password requirement.
Check that full-disk encryption is enabled. On modern iPhones, encryption is enabled automatically. On Android, check Settings → Security → Encryption. On Mac, check System Settings → Privacy & Security → FileVault. On Windows, check Settings → Privacy & Security → Device encryption. Encryption ensures that if a device is stolen, its contents remain unreadable without the password.
Review app permissions on your phone. On iPhone: Settings → Privacy & Security. On Android: Settings → Privacy → Permission Manager. For location permissions specifically, change any non-navigation app from “Always” to “While Using” or “Never.”
Action items from this section: Enable automatic updates on all devices. Enable encryption if not already active. Review and tighten app permissions, particularly location access.
Section 5: Account Activity Review — 15 Minutes
Many account compromises go undetected because people never check their account activity logs. This section takes 15 minutes and can catch active intrusions that have been silent for weeks.
Check recent sign-in activity on your email. In Gmail: scroll to the bottom of the inbox and click “Details” next to “Last account activity.” In Outlook: go to account.microsoft.com → Security → Sign-in activity. Look for logins from countries you have not visited, or from devices and browsers you do not recognize.
Check for forwarding rules you did not create. Attackers commonly create inbox rules to forward copies of your emails to an external address. In Gmail: Settings → See all settings → Filters and Blocked Addresses, and → Forwarding and POP/IMAP. In Outlook: Settings → Rules. Delete anything you do not recognize.
Check for connected sessions on social media. Facebook shows all active sessions under Settings → Security and Login → Where You’re Logged In. Remove any sessions from devices or locations you do not recognize. Most major platforms have a similar feature.
Review your credit report. Go to AnnualCreditReport.com and request a report from one of the three bureaus. Look for accounts, inquiries, or addresses you do not recognize. If you find anything unfamiliar, it may indicate identity theft — report it to the bureau and consider placing a credit freeze.
Action items from this section: Log out any unrecognized sessions. Delete any forwarding rules you did not create. Flag and investigate any unfamiliar items in your credit report.
Section 6: Backup Verification — 10 Minutes
A backup that has never been tested is not a backup — it is a hope. This section verifies that your data protection actually works.
Verify that your phone is backing up. On iPhone: Settings → [your name] → iCloud → iCloud Backup → verify that “Back Up This iPhone” is enabled and check the date of the last backup. If the last backup is more than a week old, initiate one manually. On Android: Settings → System → Backup → Google One backup → verify it is enabled and recent.
Check that important files on your computer are backed up. If you use a cloud service (Google Drive, iCloud, Dropbox, OneDrive), verify that the folder containing your most important documents is syncing actively. If you use an external drive, verify the last backup date and run a test restore of one file to confirm the backup is functional.
Consider the 3-2-1 backup principle: three copies of important data, on two different media types, with one copy stored offsite. For most personal users, this means: the original file on your computer, a cloud backup, and an external drive kept somewhere other than on your desk next to your computer.
Action items from this section: Enable automatic phone backups if not active. Verify the last backup date on all devices. Run a test restore of one important file.
Section 7: Privacy Cleanup — 10 Minutes
This final section addresses data minimization — reducing how much information about you exists online and is accessible to others.
Delete unused accounts. Every dormant account is a potential breach source and represents personal information sitting on a server you are no longer monitoring. Use JustDeleteMe (justdeleteme.xyz) to find direct links to the deletion pages of hundreds of popular services, with ratings for how easy the process is. Start with services you have not used in over a year.
Opt out of data broker listings. Data brokers compile and sell personal information about individuals. In the US, you can submit opt-out requests to major brokers directly. Start with the largest: Spokeo, WhitePages, Intelius, and BeenVerified all have opt-out forms. For California residents, the state’s Delete Request and Opt-Out Platform (DROP) launched in January 2026 allows batch opt-out requests to registered data brokers.
Review social media privacy settings. Set your primary social media profiles to private or friends-only if you have not done so recently. Review your friend or follower list and remove people you do not recognize or no longer wish to share your updates with.
Action items from this section: Delete at least three dormant accounts. Submit opt-out requests to two or three major data brokers. Set social media profiles to private.
Making This a Habit
A one-time audit improves your security significantly. A repeated audit, done annually, keeps it current as your accounts, devices, and habits change. Security is not a state you achieve — it is a practice you maintain.
The most important takeaway from any security audit is not the specific vulnerabilities you find on a given afternoon. It is the habit of periodic review. A 2024 survey by the Family Online Safety Institute found that most people have not changed any account security settings in over a year, despite regular news coverage of breaches. The people who consistently maintain stronger security are those who have built periodic review into their routine, not those who rely on one-time fixes.
Set a calendar reminder for 12 months from today. When it fires, run through this audit again. Many of the issues you fix today will re-emerge over the following year — new accounts accumulate, permissions drift, passwords are reused out of convenience. The annual review catches them before they compound.
Frequently Asked Questions
Q: How long does this audit take in total?
A: The full audit as described takes approximately two hours. The most time-consuming section is typically password health, particularly if you find significant reuse that needs to be corrected. If you use a password manager that already flags reused passwords, that section takes under 15 minutes. The remaining sections are primarily navigation and review.
Q: I found that I have been signed into an account from an unrecognized location. What should I do?
A: Act immediately. Change the password for that account from a device you trust, enable 2FA if it is not already active, revoke all active sessions to force a fresh login, and check for any inbox rules or settings changes that may have been made. If the account is an email account, also check for forwarding rules. Report the incident to the platform’s security team through their official support channel.
Q: How do I know if a data broker opt-out request has been honored?
A: Most data brokers take 30 to 90 days to process opt-out requests. After that period, search for your name on the site to verify your listing has been removed. Note that removal is not always permanent — some brokers re-add listings as their databases are updated from new sources. The opt-out process is ongoing maintenance rather than a one-time fix. Paid services like DeleteMe or Privacy Bee automate this process on an ongoing basis.
Q: What if I find a fraudulent account in my credit report?
A: Dispute the account with the bureau that listed it — each major bureau has an online dispute process at equifax.com, experian.com, and transunion.com. Place a fraud alert and consider a credit freeze at all three bureaus. File a report with the FTC at identitytheft.gov, which generates a personalized recovery plan and creates an official Identity Theft Report you can use with creditors. If a Social Security number was involved, consider placing an IRS Identity Protection PIN at IRS.gov/ippin.
