How to Audit All Your Passwords in 30 Minutes
Most people have 70–150 accounts. A password audit identifies reused, weak, and breached credentials. Here is the 30-minute process.
Why most people have at least 3 compromised passwords
The Have I Been Pwned database contains over 12 billion stolen credentials. If you've been online for more than 5 years and reused passwords at all, statistically you have multiple compromised credentials in active use. Most people don't know because no one told them, and checking manually takes too long.
This guide gives you a structured 30-minute process to audit your password security, find the worst problems, and fix them in priority order.
Step 1: Get your password list (5 minutes)
If you use a password manager: export a CSV. If you don't (change that after this), use your browser's saved password export. In Chrome: Settings → Passwords → Export. In Safari: Settings → Passwords → Export All Passwords.
Keep this export local. Delete it securely when done.
Step 2: Run breach checks (5 minutes)
Use PassGeni's Breach Checker to check your most important account passwords. It uses k-anonymity — only 5 characters of your password's SHA-1 hash go to the HIBP API. Your actual password never leaves your browser.
Priority order for checking: email account (recovery for everything), banking, work email, password manager master password, social media (used for "Login with" flows).
Step 3: Check entropy (5 minutes)
Paste each password into PassGeni's Strength Checker. You're looking for:
- Entropy below 60 bits → weak, replace immediately
- Crack time under 1 year → weak, replace this month
- DNA Score below B → review and consider replacing
Step 4: Find duplicates (5 minutes)
Sort your password list. Identical passwords for different sites are a credential stuffing liability. If site A gets breached, attackers will try that password on every site in your list. Flag every duplicate.
Step 5: Prioritise what to fix (5 minutes)
Create a priority list using this framework:
- P1 — Fix today: Compromised in breach + reused elsewhere, or used for email/banking/password manager
- P2 — Fix this week: Compromised in breach, not reused. Low entropy passwords on important accounts.
- P3 — Fix this month: Duplicate passwords on lower-priority accounts
- P4 — Fix eventually: Weak passwords on accounts with no personal data
Step 6: Generate replacements (10 minutes)
Use PassGeni's password generator with the appropriate compliance preset for each account type:
- Work accounts with HIPAA/SOC 2 requirements → use the matching preset
- Personal accounts → 18+ characters, all character types enabled
- Accounts you need to type (TV, game console) → passphrase mode, 4 words
Store everything in a password manager immediately. Don't try to remember generated passwords — that defeats the purpose.
Ongoing: set a quarterly reminder
This audit should take 30 minutes once you have a password manager. Set a quarterly reminder to run steps 2 and 3 on your most important accounts. New breaches happen constantly — yesterday's safe password may be in a dataset tonight.