What Is a Password Audit and Why Does It Matter?
The average person reuses the same password across 14 different accounts. When one of those sites gets breached — and breaches happen to major platforms constantly — every account sharing that password becomes vulnerable instantly. A password audit is the process of reviewing every password you use, finding the weak ones, spotting the duplicates, and replacing them before someone else exploits them.
This isn't paranoia. It's basic hygiene, like checking your car's tire pressure before a long drive. Catching a compromised or recycled password takes about 30 minutes. Recovering a hacked bank account or email takes weeks.
What You Need Before You Start Your Password Audit
Before you dive in, gather the raw material. You can't audit what you can't see.
What you need: - Access to every browser you use (Chrome, Safari, Firefox, Edge) - Login credentials for any password manager you already use (1Password, Bitwarden, Dashlane, etc.) - Your email address — you'll need it to check breach databases - 30–60 minutes of uninterrupted time - A device that's secure and on a private network (skip public Wi-Fi for this)
If you've never used a password manager, now is the time to set one up before you start. More on that shortly. But even without one, you can still run a meaningful audit manually.
How to Run a Password Audit Using a Built-In Password Manager
If you're already using a password manager, you're ahead. Most of them have a built-in password audit tool that does the heavy lifting.
1Password Watchtower
1Password's Watchtower dashboard surfaces weak passwords, reused passwords, passwords for sites that have been breached, and accounts that don't have two-factor authentication enabled. Open 1Password, click Watchtower in the left sidebar, and it generates a full health report. Pricing: $2.99/month for individuals.
Bitwarden's Reports
Bitwarden (free tier available, Premium at $10/year) includes a Reports section with separate views for exposed passwords, reused passwords, weak passwords, and unsecured websites (HTTP instead of HTTPS). It's one of the most thorough free password health check tools available anywhere.
Dashlane's Password Health Score
Dashlane gives you a numeric score (0–100) based on password strength, reuse, and breach exposure. It's satisfying to watch the number climb as you fix things. Dashlane starts at $4.99/month.
Apple Passwords (iOS/macOS)
If you use iCloud Keychain, Apple's Passwords app (available on iOS 18 and macOS Sequoia) has a dedicated Security section showing compromised, reused, and weak passwords. Go to Settings > Passwords > Security Recommendations on iPhone, or open the Passwords app on Mac and click the warning icon.
Google Password Manager
In Chrome, go to passwords.google.com and click Check passwords. Google will flag reused and compromised credentials across your saved logins. It's free and surprisingly comprehensive for a built-in tool.
How to Audit Passwords Without a Password Manager
No password manager? You can still do this, but it takes more manual effort.
Start by exporting saved passwords from each browser you use: - Chrome: Settings > Passwords > three-dot menu > Export passwords - Firefox: Settings > Privacy & Security > Saved Logins > Export Logins - Safari: Settings > Passwords > Export
Open the exported CSV file in a spreadsheet app. Sort by the password column and scan visually for duplicates. Any password appearing more than once is a reuse problem. Any password under 12 characters is a weakness. Any password without numbers, symbols, or mixed case is vulnerable.
This is tedious, but it works. The bigger issue is that once you've identified problems, fixing them without a password manager means creating strong passwords you'll need to remember or store somewhere else — which often defeats the purpose. At this point, you're better off downloading Bitwarden (free), importing your CSV, and letting it run the analysis for you.
How to Identify Weak, Reused, and Compromised Passwords
Knowing what to look for speeds up the process.
Weak passwords typically share these traits: - Fewer than 12 characters - Dictionary words, names, or keyboard patterns (qwerty, password123, iloveyou) - No mix of uppercase, lowercase, numbers, and symbols - Personal information: birthdays, pet names, street addresses
Reused passwords are any case where the same string (or a close variation like MyPassword1 and MyPassword2) appears across more than one account. Variations count — attackers use credential stuffing tools that automatically try slight modifications.
Compromised passwords are credentials that have appeared in a known data breach. These are the most urgent to fix. You could have a 20-character random password and still be compromised if it leaked in a breach.
Finding reused passwords manually is the hardest part of a manual audit. If you're using a password manager, the tool finds them automatically. Without one, sorting your exported CSV by password value is the fastest visual method.
How to Check If Your Passwords Have Been Exposed in a Data Breach
Have I Been Pwned (haveibeenpwned.com) is the standard reference. It's run by security researcher Troy Hunt and aggregates data from over 12 billion breached accounts. Enter your email address and it tells you which breaches included your credentials.
For checking individual passwords (without handing them over to a third party), Have I Been Pwned uses a clever k-anonymity system. You can check a specific password at haveibeenpwned.com/Passwords — it hashes your password locally and only sends a partial hash to the database, so your actual password never leaves your device.
Most premium password managers run this same check automatically. Bitwarden Premium's breach report, 1Password's Watchtower, and Dashlane's dark web monitoring all surface compromised credentials in real time. Dashlane includes dark web monitoring on its paid plans, which is worth the price if you have accounts tied to a work email.
Step-by-Step: Fixing Your Worst Passwords First
Don't try to fix everything at once. Prioritize ruthlessly.
Fix in this order:
-
Email accounts first. Your email is the master key — it resets everything else. If you use Gmail, Outlook, or iCloud Mail, those get new, unique passwords today.
-
Financial accounts second. Banks, credit unions, PayPal, Venmo, any brokerage accounts.
-
Breached or compromised passwords third. Whatever your audit tool flagged as appearing in a breach — change those immediately regardless of account type.
-
Reused passwords fourth. Work through these systematically. Start with the accounts you use most often.
-
Weak but not yet reused passwords last. These are lower priority but should still get updated within a week.
Trying to change 80 passwords in a single afternoon leads to mistakes. Changing 10 per day for a week is sustainable.
How to Create Strong Replacement Passwords That Actually Hold Up
The best passwords in 2026 are generated randomly and never memorized.
Characteristics of a strong password: - At least 16 characters (20+ is better) - Completely random — no words, names, or patterns - Unique to every single account - Generated by a tool, not your brain
Every password manager has a built-in generator. In 1Password, hit the generate button and you get something like Xk7#mN2pQrL8@vJw — unguessable, unique, and stored securely. You never need to type it again because the manager fills it in.
If you need a memorable passphrase for something you type manually — like your computer login password — use the Diceware method: roll dice to pick random words from the EFF wordlist. Something like correct-horse-battery-staple (four random words) is genuinely strong if the words are truly random, not a phrase you chose because it's meaningful to you.
How to Secure Accounts That Don't Support Strong Passwords
Some systems — older corporate portals, certain government sites, some banking apps — cap passwords at 12 characters, ban special symbols, or have other bizarre restrictions. These are frustrating but manageable.
Within whatever limits exist, use a random generator set to the maximum allowed length. Even a 10-character random alphanumeric password is stronger than Summer2024!. Also: compensate for weak password requirements with strong two-factor authentication. Enable an authenticator app (Google Authenticator, Authy, or the built-in authenticator in 1Password) on any account that limits password strength.
If a site only offers SMS-based two-factor authentication, use it anyway — it's better than nothing, just not as secure as an authenticator app.
How to Audit Passwords Across Multiple Devices and Browsers
If you use Chrome on your work laptop, Safari on your iPhone, and Firefox at home, you have three separate credential stores — and they don't talk to each other automatically.
The cleanest fix: consolidate everything into one password manager and disable built-in browser password saving. In Chrome, go to Settings > Passwords and turn off Offer to save passwords. Do the same in Safari under System Settings > Passwords > AutoFill Passwords, and disable browser-based filling.
Import saved passwords from each browser into your chosen manager (most accept CSV imports), then run the audit from a single dashboard. This eliminates blind spots caused by fragmented storage across browsers and devices.
How Often Should You Audit Your Passwords?
Once per year is the baseline. Twice per year is better if you have more than 50 accounts or use your credentials for work purposes.
You should also run a quick spot check immediately after: - Any major data breach announcement involving services you use - Leaving a job (revoke access to shared accounts, update personal ones) - A device gets lost, stolen, or sold - You notice unexpected login activity on any account
The annual full audit catches slow drift — accounts you forgot you had, passwords you changed manually outside the manager, old logins no longer in use that should be deleted entirely.
How to Build a Password Audit Routine That Sticks
The audit only helps if you actually do it. The easiest way to make it stick is to attach it to something that already happens on a schedule.
Pick a recurring date — a lot of security people use the biannual clock change (spring and fall) as a trigger. Set a calendar event titled "Password Audit" that repeats twice per year. Block 45 minutes. That's all it takes once your password manager is set up and your credentials are consolidated.
Keep a running note (inside your password manager, encrypted) of any accounts you've deleted, unusual login attempts you've noticed, or devices you've revoked access from. This context makes each future audit faster and more useful.
Start today: Download Bitwarden (free) or start a 1Password trial, import your browser's saved passwords, and run the breach report. Fix your email password first. Everything else can follow over the next week.