Online Security Basics

Personal Security Audit: A Complete Self-Assessment Guide

By AntiPhishers Published

Personal Security Audit: A Complete Self-Assessment Guide

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

A personal security audit is a systematic review of your digital security posture: your accounts, passwords, devices, privacy settings, and recovery mechanisms. Most people accumulate security debt over years of quick account signups, ignored update prompts, and default settings. A thorough audit identifies the gaps attackers would exploit and gives you a prioritized remediation plan.

Phase 1: Account Inventory

List every online account you have. Your password manager’s vault is a good starting point, but also search your email for account confirmation messages, check browser saved passwords, and review app store purchase histories. Most people discover they have 100 to 200 accounts, many forgotten.

Categorize accounts by sensitivity: critical (email, banking, cloud storage, identity providers like Google/Apple), important (social media, shopping with saved payment info, healthcare portals), and low-risk (forums, newsletters, single-use signups).

Delete accounts you no longer use. Every account is an attack surface. Use JustDeleteMe (justdeleteme.xyz) for direct links to account deletion pages. For services that do not offer deletion, change the email to an alias, remove personal information, and change the password to a random string.

Phase 2: Password Assessment

Check for reused passwords. Your password manager’s security audit feature flags passwords used across multiple accounts. Prioritize changing reused passwords on critical accounts first.

Check for weak passwords. Replace any password shorter than 12 characters or based on dictionary words, personal information, or common patterns.

Check for breached passwords. Run your email addresses through haveibeenpwned.com. Your password manager may do this automatically. Any credential appearing in a breach database needs immediate replacement.

Ensure unique passwords everywhere. After remediation, every account should have a unique, randomly generated password stored in your password manager.

Phase 3: Authentication Hardening

Enable 2FA on every critical and important account. Check twofactorauth.org for a list of services that support 2FA and what methods they offer. Use authenticator apps or hardware keys; avoid SMS where alternatives exist.

Review recovery mechanisms. For each critical account, verify that recovery email addresses and phone numbers are current and point to accounts you control. Remove security questions where possible; where required, use random answers stored in your password manager.

Save backup codes. Print 2FA backup codes for critical accounts and store them in a physical safe.

Phase 4: Device Review

Check that all devices (computers, phones, tablets, routers) are running the latest OS and firmware versions. Verify that auto-update is enabled. Remove unused applications. Review app permissions on mobile devices, revoking unnecessary access to camera, microphone, contacts, and location.

Phase 5: Privacy Settings

Review privacy settings on social media platforms. Check what information is publicly visible on your profiles. Audit connected third-party applications on each platform and revoke access for unused ones. Search for yourself on data broker sites and submit removal requests.

Phase 6: Recovery Preparedness

Verify that backups are current and restorable. Confirm you have emergency access to critical accounts if your primary device is lost. Consider designating a trusted contact for account recovery on platforms that support it (Apple, Google, Facebook).

Schedule your next audit in six months. Security is an ongoing practice, not a one-time event.

For detailed guidance on password improvement, see our password security best practices. For authentication hardening, explore our two-factor authentication guide.

Creating an Audit Schedule

Security degrades over time as new accounts are created, settings change, and new threats emerge. Establish a recurring audit schedule:

Monthly: Review password manager for new weak or reused passwords. Check for new breach notifications at haveibeenpwned.com. Verify 2FA is active on any newly created accounts.

Quarterly: Review social media privacy settings. Audit app permissions on mobile devices. Check connected apps on cloud and social accounts. Review and remove unused browser extensions.

Annually: Comprehensive audit following all six phases described above. Review and update your recovery mechanisms. Verify backup integrity by performing a test restoration. Evaluate whether your threat model has changed and adjust protections accordingly.

Document your audit findings and actions taken. This record helps you track improvements over time and ensures you do not repeat work unnecessarily. A simple spreadsheet tracking account names, last password change date, 2FA status, and audit notes is sufficient for most individuals.

More in Online Security Basics

Password Reuse Dangers: Why One Breach Compromises Everything Email Encryption Guide: Sending Confidential Messages Secure Online Banking: Protecting Your Financial Accounts Ad Blockers and Privacy Extensions: Browsing Protection Tools

View all Online Security Basics articles →