// guide
Guide

The 10-minute security audit every person should do

A fast, realistic checklist for normal people. The goal isn't perfection, it's closing the obvious gaps that attackers actually exploit every day. Ten focused minutes, ordered by impact.

April 9, 20266 min readBy Baris Ayarkan
X / Twitter LinkedIn Facebook

The interactive checklist

Check off each step as you complete it. The hardest part is starting, so start with step 1 right now.

0 of 8 complete
⏱ Minutes 1–2
Check your email for breach exposure

Use DataLeakz or HaveIBeenPwned to search your email address. If it appears in any breach that includes passwords, change that password immediately especially if you reused it anywhere.

⏱ Minutes 3–4
Make your email password unique

Your email controls every other account through password resets. If it shares a password with anything else, change it now to a unique, strong password (16+ characters or a random passphrase). Store it in a password manager.

⏱ Minute 5
Confirm MFA is on for your email

Log into your email provider's security settings. If 2FA isn't enabled, enable it now. Use an authenticator app if available, not SMS. This single step stops the majority of email account takeovers.

⏱ Minute 6
Check recent login activity

Most email providers and major services show recent sign-in locations and devices. Look for anything unfamiliar an unknown location, device, or time. If something's off, revoke the session and change your password.

⏱ Minute 7
Fix one reused password

Pick your most important reused password (bank, Apple/Google account, work) and replace it with a unique one. You don't have to fix everything just one. If you install a password manager, it will generate and remember new ones automatically.

⏱ Minute 8
Place a credit freeze if your SSN may be exposed

If you're in the US and suspect your SSN was in a breach (like National Public Data), freeze your credit at Equifax, Experian, and TransUnion. It's free and takes about 5 minutes per bureau online. See our NPD breach guide for details.

⏱ Minute 9
Review recovery options

Check that your backup email and recovery phone number are current for your important accounts. Outdated recovery info is a common account lockout cause and attackers can exploit old recovery contacts to gain access.

⏱ Minute 10
Pick one follow-up task to do this week

Install a password manager, upgrade 2FA on your bank, or check your credit report. One concrete next action is worth more than a vague intention to "improve security." Write it down or set a calendar reminder.

Step 1 starts here — check your email exposure

Free, instant, no account required. See if your email is in known breach data right now.

Run a free scan →

Why this order matters

Security advice often treats all accounts as equal. They're not. Your email account is the master key — everything else recovers through it. If an attacker gets into your email, they can reset every other password. That's why it comes first, before your bank, before your work account, before anything else.

After your email, the priority is: financial accounts, identity documents (SSN/credit), your main Apple/Google/Microsoft account, then everything else. A breach at a gaming site matters less than a breach at your email provider.

📅
Repeat this every 3–4 months

Breaches are discovered on a delay. Data that's newly appeared in breach databases may have been stolen months earlier. A regular check means you catch exposure before attackers act on it.

Sources

  1. FTC Consumer Advice: Credit freezes and fraud alerts
  2. IdentityTheft.gov — data-breach recovery guidance
  3. CISA MFA guidance
  4. CISA Mobile Communications Best Practice Guidance — SMS as second factor
// go deeper
Guide Password reuse is the real threat — here's how to fix it Apr 3, 2026 · 7 min read Security 2FA is not all equal — why SMS is your weakest link Apr 5, 2026 · 6 min read Breach Analysis What the National Public Data breach means for you Apr 1, 2026 · 8 min read