Personal Security Audit Checklist: 20 Things to Review Today

Why You Need a Personal Security Audit

Most people accumulate digital accounts, devices, and services over years without ever conducting a structured review of their security posture. Old accounts with reused passwords, forgotten connected apps, outdated recovery options, and unencrypted devices create vulnerabilities that attackers can exploit.

A personal security audit is a systematic review of your digital life designed to identify and fix weaknesses before they become problems. Think of it as a health checkup for your digital security. The checklist below covers 20 essential items organized by category. Set aside a few hours, work through each item, and you will emerge with a significantly stronger security posture.

Password and Authentication Audit

1. Check for Compromised Passwords

Visit haveibeenpwned.com and enter each of your email addresses. The site will tell you which data breaches have exposed your credentials. Change the password on any breached account immediately using a strong, randomly generated password from our password generator.

2. Eliminate Reused Passwords

Open your password manager and look for reused passwords. If you are not using a password manager yet, this audit is the perfect time to start. Export your browser's saved passwords, import them into a dedicated password manager, and replace every reused password with a unique one.

3. Audit Two-Factor Authentication Coverage

List your 10 most important accounts: email, banking, cloud storage, social media, and work accounts. Verify that every one has multi-factor authentication enabled. Use an authenticator app rather than SMS where possible. If any critical account lacks MFA, enable it now.

4. Verify Recovery Options Are Current

Check the recovery email addresses and phone numbers on your primary accounts. Outdated recovery options (an old phone number you no longer have, a college email that has been deactivated) could lock you out of your own account. Update them to current, accessible contact information.

5. Save Backup Codes Securely

Most services that offer MFA also provide backup codes for use if you lose access to your authenticator. Generate and save these backup codes in a secure location: an encrypted file, a physical printout in a safe, or a password manager's secure notes. Verify that your existing backup codes have not expired.

Device Security Audit

6. Enable Full-Disk Encryption

Check that every device you own has disk encryption enabled. On Windows, enable BitLocker (Pro editions) or Device Encryption. On macOS, enable FileVault. On iOS and Android, encryption is enabled by default if you have a lock screen set. Unencrypted devices expose all stored data if lost or stolen.

7. Update All Operating Systems

Check for pending updates on every device: computers, phones, tablets, and routers. Install all available security updates. Enable automatic updates where possible. Unpatched devices are the low-hanging fruit that attackers target first.

8. Review Installed Applications

Go through your installed applications on each device and remove anything you no longer use. Unused applications still receive network access, run background processes, and may contain unpatched vulnerabilities. Less software means less attack surface.

9. Check Screen Lock Settings

Verify that every device has a strong screen lock: a six-digit PIN at minimum, or a passphrase for higher security. Set auto-lock to one minute or less. Disable lock screen notification previews that could reveal sensitive information to someone holding your locked device.

10. Verify Find My Device Is Active

Confirm that Find My iPhone, Find My Device (Android), or Find My Device (Windows) is enabled and functioning. Test the locate feature to ensure it works. These services allow you to remotely lock or wipe a lost device before an attacker can access your data.

Online Account Audit

11. Review Connected Apps and OAuth Permissions

Visit the security settings of your Google, Facebook, Apple, and Microsoft accounts. Review every connected third-party application. Revoke access for any application you no longer use or do not recognize. Our OAuth security guide explains this process in detail.

12. Close Dormant Accounts

Old accounts on services you no longer use are security liabilities. They may still contain personal information and are protected by passwords you set years ago. Delete or deactivate accounts you no longer need. If a service does not offer account deletion, change the password to a random string and remove personal information.

13. Review Privacy Settings on Social Media

Visit the privacy settings on every social media platform you use. Restrict who can see your posts, friend list, email address, and phone number. Disable location tagging. Limit who can find you through search. Each piece of public information gives attackers material for social engineering.

14. Check Email Forwarding Rules

Attackers who gain temporary access to email accounts often set up forwarding rules to receive copies of all future messages, maintaining access even after you change your password. Check your email forwarding settings in Gmail, Outlook, or whichever provider you use. Remove any forwarding rules you did not create.

15. Review Financial Account Alerts

Log into your bank and credit card accounts. Enable transaction alerts for all purchases above a low threshold, login notifications, and password change alerts. Early detection of unauthorized transactions limits financial damage.

Data Protection Audit

16. Verify Backup Integrity

Having backups is not enough; you need to verify they work. Attempt to restore a file from each of your backup sources. Check that your backups are recent, complete, and stored in at least two separate locations (the 3-2-1 rule: three copies, two media types, one offsite).

17. Audit Cloud Storage Contents

Review what you have stored in Google Drive, Dropbox, iCloud, and other cloud services. Remove sensitive documents that do not need to be in the cloud. Check sharing settings on remaining files to ensure you have not accidentally shared private documents publicly. Use our PDF tools to manage sensitive documents securely.

18. Check Photo Metadata

Photos stored online or shared on social media may contain EXIF metadata revealing your location, device information, and timestamps. Use our metadata remover to strip metadata from photos before sharing them publicly.

19. Review Browser Extensions

Browser extensions have extensive access to your browsing data, including login credentials and form entries. Review your installed extensions in every browser you use. Remove extensions you no longer use, do not recognize, or that request permissions beyond their stated function. Research any extension you are unsure about.

20. Test Your Network Security

Check your home network's security settings. Verify your Wi-Fi uses WPA3 or WPA2 encryption with a strong password. Check your router's admin password (change it if it is still the factory default). Verify your router's firmware is up to date. Use our speed test to verify your connection is performing as expected, which can help identify if unauthorized users are consuming your bandwidth.

Making Audits a Habit

A one-time audit is valuable, but regular reviews are what maintain strong security. Schedule a full audit quarterly using this checklist. Between full audits, stay alert for breach notifications, unusual account activity, and new security features offered by the services you use. Each audit becomes faster as you establish a well-maintained security baseline.