Password Security Checklist — 10 Steps to Secure Your Accounts

A password manager is the single highest-impact security tool you can adopt. It generates cryptographically random unique passwords for every account, stores them in an encrypted vault, and autofills them — making strong unique passwords effortless.

Recommended options:

• Bitwarden — Free, open-source, syncs across all devices. Best free option.
• 1Password — Premium UX, excellent family/team plans. $3/month.
• KeePass — Local-only, open-source. No subscription, maximum privacy.

Avoid: storing passwords in browser notes, spreadsheets, text files, or your browser's built-in saver (less secure than a dedicated manager).

Password reuse is the #1 source of account takeovers. A breach at any single site exposes every account where you used the same password. Use your password manager to generate a unique 16-character random password for each service.

Recommended settings: 16+ characters, all character types enabled. Use PassFortify's generator if needed.

Priority accounts to tackle first: email, banking/financial, social media, work, and cloud storage.

Your email account is the master key to your digital life — it controls password resets for almost everything else. Enabling 2FA on email is the highest-impact single action you can take.

Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) — not SMS. SMS 2FA is vulnerable to SIM-swap attacks. Most major email providers support authenticator apps.

Save your backup codes in your password manager or print and store securely.

After email, enable 2FA on: banking and financial accounts, social media, cloud storage (Google Drive, iCloud, Dropbox), work accounts, and gaming platforms.

2FA priority order:

1. Email accounts (all of them)
2. Banking and financial accounts
3. Cloud storage (large data loss risk)
4. Social media (identity theft risk)
5. Work accounts (professional/legal consequences)
6. Gaming accounts with payment methods

Search the Have I Been Pwned database to find which of your email addresses appeared in known breach data. Use PassFortify's Breach Checker — your email is queried via HTTPS and never stored.

For every breach found: note which service was breached, change the password for that service immediately, and check whether you reused that password anywhere else.

For every account flagged in breaches, or anywhere you've reused a password, generate a new unique password. This is the most time-consuming step but also the most important catch-up action.

Work systematically: start with high-value accounts (email, banking, work), then social media, then everything else. Use your password manager to generate and immediately save each new password.

Your password manager master password protects everything else. Use a 6-word passphrase — it provides 66+ bits of entropy while being genuinely memorable.

Example pattern: Gentle-Market-Sunrise-Frozen-Cable-Hollow

Generate one with PassFortify's secure passphrase generator. Practice typing it daily for the first week to build reliable muscle memory. Write it down once and store it somewhere physically secure (a safe, not a sticky note on your monitor).

Recovery phone numbers and backup emails are as powerful as passwords. Attackers who control your recovery phone number can reset your accounts. Audit and update:

• Use a dedicated email address for important account recovery (not one you actively use and that might be compromised).
• If using a phone number for recovery, ensure your carrier has a port freeze or SIM lock enabled.
• Store backup codes in your password manager vault.

Passwords saved in Chrome, Safari, Firefox, or Edge are less protected than a dedicated password manager and may be exported or accessed by malware. Migrate all browser-saved passwords to your password manager, then disable browser password saving.

In Chrome: Settings → Autofill → Password Manager → turn off "Offer to save passwords". In Safari: Settings → Passwords → disable AutoFill.

Many accounts have third-party apps granted access via OAuth. These remain active even if you've stopped using the app — they can read your data or act on your behalf. Review and revoke:

• Google: myaccount.google.com → Security → Third-party apps
• Facebook: Settings → Security → Apps and Websites
• Twitter/X: Settings → Security → Connected apps
• GitHub: Settings → Applications → Authorized OAuth Apps

Revoke any app you no longer use or don't recognize. Fewer connected apps means a smaller attack surface.