How to Do a Personal Security Audit — Step by Step
Affiliate disclosure: This article contains affiliate links. If you click a link and make a purchase, we may earn a commission at no extra cost to you. Our editorial recommendations are never influenced by commissions — read our full disclosure policy.
Most people never think about their online security until something goes wrong — a hacked account, a fraudulent charge, or a threatening email with their real password in the subject line. A personal security audit is a systematic review of your digital defenses. It takes about an hour, costs nothing, and dramatically reduces your risk of becoming a victim. Follow these eight steps to find and fix your biggest vulnerabilities today.
Step 1: Check if Your Data Has Been Breached
The first step is finding out what attackers already know about you. Visit HaveIBeenPwned.com and enter every email address you use. The site checks your addresses against billions of records from known data breaches. If your email appears in a breach, it means your password (and possibly other personal data) from that service has been leaked. Do not panic — but do take it seriously. Write down every breached account so you can address them in the next step. If a breached account used a password you still use anywhere else, that password is compromised across all those accounts. Attackers routinely use credential stuffing— trying stolen username and password combinations on hundreds of other sites automatically.
Step 2: Audit and Fix Your Passwords
Now that you know which accounts have been compromised, it is time to fix your passwords. The rules are simple: every account needs a uniquepassword that is at least 14 characters long and contains a mix of letters, numbers, and symbols. No human can memorize dozens of strong passwords, which is why you need a password manager. A password manager generates, stores, and auto-fills complex passwords so you only need to remember one master password. NordPass is an excellent option — it uses zero-knowledge encryption, meaning even NordPass cannot see your stored passwords.
Visit NordPass →Start by changing the passwords on every breached account. Then work through your remaining accounts, replacing any weak, reused, or short passwords. Most password managers include a security dashboard that flags weak and reused passwords automatically.
Step 3: Enable Two-Factor Authentication Everywhere
Strong passwords are essential, but they are only half the equation. Two-factor authentication (2FA) adds a second verification step — typically a time-based code from an authenticator app — that stops attackers even if they have your password. Enable 2FA on your email, bank accounts, social media, and any service that supports it. Prioritize email first, because your inbox is the gateway to resetting passwords on every other account. For a detailed walkthrough, see our complete 2FA setup guide. Use an authenticator app like Authy or Google Authenticator rather than SMS, which is vulnerable to SIM-swapping attacks.
Step 4: Check Data Brokers for Your Personal Information
Data brokers collect and sell your personal information — your name, address, phone number, email, and even family members — to anyone willing to pay. This data fuels spam calls, phishing attacks, and even identity theft. Search for yourself on sites like Spokeo, WhitePages, and BeenVerified to see what information is publicly available. You will likely be shocked by how much is out there. Removing your information manually from each broker is tedious and time-consuming, and they often re-list you within months. A data removal service automates this process and continuously monitors for new listings.
Visit MyDataRemoval →Step 5: Review App Permissions and Connected Accounts
Over the years, you have likely granted dozens of apps and websites access to your Google, Facebook, Apple, or Microsoft accounts. Each connected app is a potential attack vector — if that app gets breached, your linked account data could be exposed. Go to your Google Account → Security → Third-party apps with account access, and revoke access for anything you no longer use. Do the same for Facebook (Settings → Apps and Websites), Apple ID, and Microsoft. On your phone, review which apps have access to your camera, microphone, contacts, and location. Revoke permissions that are not essential to the app's core function. A flashlight app does not need access to your contacts.
Step 6: Update All Software and Operating Systems
Outdated software is one of the easiest ways for attackers to gain access to your devices. Security patches fix known vulnerabilities that hackers actively exploit. Update your operating system (Windows, macOS, iOS, Android), web browsers, and all installed applications. Enable automatic updates wherever possible so you are always running the latest, most secure version. Pay special attention to your browser and browser extensions— these are the programs most exposed to the internet. Remove any browser extensions you no longer use, as abandoned extensions can be sold to malicious developers who push malware through updates.
Step 7: Check Your Router Security
Your home router is the gateway between all your devices and the internet, yet most people never change its default settings. Log in to your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and take these steps: change the default admin password to something strong and unique; make sure your Wi-Fi is using WPA3 encryption (or WPA2 at minimum — never WEP); change your Wi-Fi network name to something that does not identify you or your router model; disable WPS (Wi-Fi Protected Setup), which has known security flaws; and check for firmware updates from your router manufacturer. For an extra layer of privacy, use a VPN on your router to encrypt all traffic from every device on your network.
Visit NordVPN →Step 8: Set a Calendar Reminder to Repeat This Audit
Security is not a one-time event. New breaches happen constantly, new accounts get created, and software needs ongoing updates. Set a recurring calendar reminder to repeat this security audit every three months. Each subsequent audit will be faster because you will only need to check for new breaches, review recently installed apps, and update any changed passwords. Between audits, stay vigilant: use your password manager for every new account, enable 2FA immediately on any new service, and think twice before clicking links in emails or messages. Your personal security is an ongoing practice, not a finished project. By completing this audit, you have already taken a massive step ahead of most people — now keep that momentum going.
Reviewed by Thomas & Øyvind— NorwegianSpark · Last updated: April 2026