Evaluate the strength of your security posture across email, devices, networks, accounts, and data backups.
Overview
A security check evaluates the defensive measures you have in place to protect your digital life. While a digital audit helps you understand what you have, a security check tells you how well it is protected.
This assessment covers five core areas: email security, device security, network security, account security, and data backups. Each section includes a practical checklist you can work through. As you go, note which items you can check off and which ones represent gaps. At the end, you will score your results and identify your most pressing priorities.
Be honest with yourself as you work through this assessment. The goal is not a perfect score — it is a clear understanding of where you stand and what to improve first.
Email Security
Your email account is arguably the most important digital account you own. It serves as the recovery mechanism for nearly every other account, making it the single biggest target for attackers. If someone gains access to your email, they can reset passwords across your entire digital life.
Core Protections
Email password is unique — not used on any other account Beginner
Your email is the master key to your digital life. If your email password is shared with even one other account, a breach there gives attackers access to everything. Use a password manager to generate and store a unique password. Beginner
Email password is at least 16 characters long Beginner
Length is the single most important factor in password strength. A 16-character password is exponentially harder to crack than an 8-character one. Use your password manager to generate a long random password — you do not need to memorize it. Beginner
Two-factor authentication (2FA) is enabled Beginner
MFA requires a second verification step beyond your password. Even if someone steals your password, they cannot access your account without the second factor. Enable it now in your email account's security settings. See our MFA guide. Beginner
Using an authenticator app or hardware key for 2FA Intermediate
SMS codes can be intercepted through SIM swapping attacks. Authenticator apps (like Google Authenticator, Authy, or Microsoft Authenticator) generate codes locally on your device and are significantly more secure. Hardware keys (like YubiKey) are the strongest option. Intermediate
Recovery email address is current and secure Beginner
If you get locked out, your recovery email is how you regain access. Make sure it points to an active email you control, and that the recovery email itself is secured with a strong password and MFA. Beginner
Recovery phone number is current Beginner
Ensure the phone number on file is one you currently own and control. If you changed phone numbers, update this immediately — an old number may have been reassigned to someone else. Beginner
Reviewed active sessions and removed unrecognized devices Intermediate
Most email providers show you a list of devices and locations currently signed into your account. Review this list and sign out anything you do not recognize. If you see suspicious activity, change your password immediately. Intermediate
Advanced Protections
Using email aliases for online shopping and signups Intermediate
Creating alias addresses (like yourname+shopping@email.com or a separate address entirely) limits the blast radius if a retailer gets breached. It also helps you identify which services are selling your email address when you start receiving spam to a specific alias. Intermediate
Reviewed email forwarding rules for unauthorized forwarding Advanced
Attackers who gain temporary access to your email often set up forwarding rules to silently copy all your incoming mail to their own address. Check your email settings for any forwarding rules you did not create, and remove them immediately. Advanced
Can identify phishing emails and avoid suspicious links Intermediate
Phishing emails impersonate trusted senders to trick you into clicking malicious links or entering credentials on fake sites. Key signs include urgency ("Act now!"), generic greetings, mismatched sender addresses, and suspicious links. When in doubt, navigate directly to the website rather than clicking any link. Intermediate
Using encrypted email for sensitive communications Advanced
Standard email is not encrypted end-to-end, meaning your provider and potentially others can read the content. For truly sensitive communications, consider encrypted email services or encryption extensions. This is mainly important for high-risk individuals or sensitive professional communications. Advanced
Disabled automatic image loading to prevent tracking Advanced
Many marketing emails embed invisible tracking pixels — tiny images that notify the sender when you open the email, revealing your IP address and location. Disabling automatic image loading in your email client prevents this passive tracking. Advanced
Device Security
Your devices — phones, laptops, tablets, and desktops — are the physical gateways to your digital accounts. A compromised device can bypass even the strongest online security measures because attackers gain access to everything on the device, including saved passwords, active sessions, and authentication apps.
Mobile Device Security
Your phone has a strong lock screen (six-digit PIN minimum, biometric, or passphrase) Beginner
Your phone contains your email, banking apps, authenticator codes, and personal photos. A four-digit PIN has only 10,000 combinations and can be brute-forced quickly. Use at least a six-digit PIN, or better yet, biometric authentication (fingerprint or face recognition) combined with a strong passcode. Beginner
Your phone's operating system is up to date with the latest security patches Beginner
Mobile operating system updates fix security vulnerabilities that attackers actively exploit. Enable automatic updates in your phone's settings so patches are applied as soon as they are available. If your phone no longer receives security updates, it may be time to consider upgrading. Beginner
You only install apps from official app stores Beginner
Official app stores (Apple App Store and Google Play Store) review apps for malware and malicious behavior before listing them. Sideloading apps from other sources bypasses these protections and significantly increases your risk of installing malware. Stick to official stores for all app installations. Beginner
You review app permissions regularly and revoke unnecessary access (camera, microphone, location, contacts) Intermediate
Many apps request more permissions than they need. A flashlight app does not need access to your contacts or location. Review app permissions in your phone's settings periodically and revoke any access that is not essential for the app's core function. See our privacy guide for more details. Intermediate
Find My Device (or equivalent) is enabled so you can locate, lock, or wipe your phone remotely Beginner
If your phone is lost or stolen, Find My Device (iPhone) or Find My Phone (Android) lets you locate it on a map, remotely lock it with a message, or erase all data to prevent unauthorized access. Enable this feature now — you cannot turn it on after the phone is gone. Beginner
Your phone encrypts its storage by default (most modern phones do, but verify) Intermediate
Encryption scrambles the data on your phone so it cannot be read without your passcode. Most modern iPhones and Android devices enable encryption by default, but older devices may require manual activation. Check your phone's security settings to confirm encryption is active. Intermediate
You do not use public USB charging stations (which can be compromised) Intermediate
Public USB charging stations can be modified to transfer data or install malware while your phone charges — an attack known as "juice jacking." Use your own charger plugged into a wall outlet, carry a portable battery pack, or use a USB data blocker dongle that only allows power to pass through. Intermediate
Bluetooth is turned off when not in use Beginner
Bluetooth vulnerabilities are discovered regularly, and an active Bluetooth connection broadcasts your device's presence to anyone nearby. When you are not actively using Bluetooth for headphones, a car connection, or another device, turn it off to reduce your attack surface. Beginner
Computer Security
Your operating system is up to date with automatic updates enabled Beginner
Operating system updates patch known security vulnerabilities that attackers actively exploit. Enable automatic updates so you are protected as soon as patches are released. Delaying updates leaves you exposed to threats that are already public knowledge. Beginner
You have active antivirus or endpoint protection software Beginner
Antivirus software provides a baseline defense against malware, ransomware, and other threats. Windows Defender (built into Windows) is a solid free option. Mac users benefit from built-in protections but may want additional software for enhanced protection. Keep your antivirus definitions up to date. Beginner
Your user account has a strong password and auto-lock is enabled after inactivity Beginner
If you walk away from your computer, anyone nearby can access everything on it unless it locks automatically. Set auto-lock to activate after a short period of inactivity (five minutes or less) and use a strong password or biometric authentication to unlock. Beginner
Your hard drive is encrypted (FileVault on Mac, BitLocker on Windows, LUKS on Linux) Intermediate
Full-disk encryption ensures that if your computer is lost or stolen, the data on it is unreadable without your password. FileVault, BitLocker, and LUKS are built into their respective operating systems and can be enabled in system settings. This is especially critical for laptops. Intermediate
Your web browser is up to date and configured to block third-party cookies Beginner
Browsers are a primary attack surface because they process untrusted content from the internet. Keep your browser updated for security patches and block third-party cookies to reduce tracking. See our privacy guide for more browser hardening tips. Beginner
You do not have unnecessary browser extensions installed (each one is a potential vulnerability) Intermediate
Browser extensions can read and modify everything you see on the web, including passwords and banking information. Only install extensions you actively use from trusted developers, and remove the rest. Review your installed extensions periodically — even legitimate extensions can be sold to malicious actors. Intermediate
Firewall is enabled on your operating system Beginner
A firewall monitors and controls incoming and outgoing network traffic based on security rules. Both Windows and macOS include built-in firewalls — make sure yours is turned on. It provides an important layer of defense against unauthorized network connections to your computer. Beginner
You regularly restart your computer to ensure security updates take effect Beginner
Many security updates require a restart to fully install and take effect. If you rarely restart your computer, you may be running with unpatched vulnerabilities even after updates have been downloaded. Restart at least once a week to ensure all pending updates are applied. Beginner
Network Security
Your network is the pathway between your devices and the internet. An insecure network can allow attackers to intercept your traffic, capture passwords, and monitor your activity — even if your devices and accounts are otherwise well protected.
Home Network
Your Wi-Fi router uses WPA3 encryption (or WPA2 at minimum — never WEP) Intermediate
WPA3 is the latest and most secure Wi-Fi encryption standard. WPA2 is still acceptable, but WEP is completely broken and can be cracked in minutes. Check your router's wireless security settings and upgrade to WPA3 if your router supports it. Intermediate
Your Wi-Fi password is strong, unique, and not the default that came with the router Beginner
Default Wi-Fi passwords are often printed on a sticker on the router and may follow predictable patterns. Change yours to a strong, unique passphrase. Anyone within range of your Wi-Fi signal can attempt to connect, so a weak password puts your entire home network at risk. Beginner
Your router's admin password has been changed from the factory default Beginner
The admin password controls your router's settings — not just Wi-Fi access. Default admin credentials (often "admin/admin" or "admin/password") are publicly known. If an attacker accesses your router's admin panel, they can redirect your traffic, change DNS settings, or open your network to further attacks. Beginner
Your router's firmware is up to date Intermediate
Router firmware updates patch security vulnerabilities just like operating system updates do. Many routers do not update automatically, so you need to check periodically. Log into your router's admin panel and look for a firmware update option, or check the manufacturer's website. Intermediate
You have disabled WPS (Wi-Fi Protected Setup), which has known vulnerabilities Intermediate
WPS was designed to make connecting devices easier by using a PIN or button press. However, the WPS PIN can be brute-forced in hours, giving an attacker your Wi-Fi password. Disable WPS in your router settings — the convenience is not worth the security risk. Intermediate
You know which devices are connected to your home network and can identify all of them Intermediate
Unrecognized devices on your network could indicate unauthorized access. Log into your router's admin panel and review the list of connected devices. If you see devices you cannot identify, change your Wi-Fi password and reconnect only your known devices. Intermediate
Remote management of your router is disabled Intermediate
Remote management allows your router's admin panel to be accessed from outside your home network — over the internet. Unless you have a specific need for this, disable it. An exposed admin panel is a prime target for automated attacks scanning the internet for vulnerable routers. Intermediate
You have a separate guest network for visitors and IoT devices Advanced
A guest network isolates visitors and smart home devices from your main network, where your computers and phones operate. This way, a compromised IoT device or a guest's infected laptop cannot reach your primary devices. Most modern routers support creating a separate guest network in their settings. Advanced
Public and Mobile Networks
You use a VPN when connecting to public Wi-Fi networks (coffee shops, airports, hotels) Intermediate
Public Wi-Fi networks are inherently untrusted — anyone on the same network can potentially intercept your traffic. A VPN encrypts all your internet traffic between your device and the VPN server, preventing eavesdropping even on compromised networks. Intermediate
You avoid logging into sensitive accounts (banking, email) on public Wi-Fi without a VPN Beginner
If you must use public Wi-Fi without a VPN, avoid accessing your most sensitive accounts entirely. Banking credentials and email passwords captured on public Wi-Fi can lead to devastating consequences. Wait until you are on a trusted network, or use cellular data instead. Beginner
Your devices are set to not automatically connect to open Wi-Fi networks Beginner
When your device automatically connects to open networks, it can be tricked into joining malicious hotspots that mimic legitimate ones. Disable auto-join for open networks in your Wi-Fi settings so you always make a conscious choice about which networks to use. Beginner
You verify the official network name before connecting in public places (to avoid fake hotspots) Intermediate
Attackers create fake Wi-Fi networks with names similar to legitimate ones — for example, "Starbucks_Free" instead of "Starbucks WiFi." Always confirm the exact network name with staff before connecting. A fake hotspot can intercept all your traffic and serve phishing pages. Intermediate
You use your phone's cellular data as a hotspot when a VPN is not available Beginner
Your cellular connection is significantly more secure than public Wi-Fi because the traffic is encrypted between your phone and the cell tower. When you need internet access in public and do not have a VPN, tethering to your phone's cellular data is a safer alternative. Beginner
Account Security
Account security focuses on the authentication and access controls that protect your online accounts. Even with strong email, device, and network security, weak account-level protections can leave you exposed.
Password Practices
You use a dedicated password manager to generate and store unique passwords Beginner
A password manager is the foundation of good account security. It generates strong, random passwords for every account and remembers them for you. You only need to memorize one master password. Popular options include Bitwarden, 1Password, and KeePass. Beginner
Your password manager is protected by a strong master password that you have memorized Beginner
Your master password is the one password you must memorize, so make it strong — at least 16 characters, ideally a passphrase of random words. Never write it down digitally. If someone cracks your master password, they gain access to every password in your vault. Beginner
You do not reuse passwords across any accounts Beginner
Password reuse is the number one way accounts get compromised through credential stuffing — attackers take leaked credentials from one breach and try them on thousands of other sites. A password manager makes unique passwords effortless. Check our password checker to evaluate your current passwords. Beginner
You do not store passwords in plain text files, sticky notes, or unencrypted documents Beginner
Plain text password storage — whether in a notes app, a spreadsheet, or on paper stuck to your monitor — is easily accessible to anyone who gains physical or remote access to your device. Migrate all stored passwords to an encrypted password manager. Beginner
You have changed the default passwords on all devices and services Beginner
Default passwords for routers, smart home devices, and other hardware are publicly known and listed in online databases. Attackers routinely scan for devices still using factory defaults. Change every default password to a unique one stored in your password manager. Beginner
None of your passwords are based on personal information (names, birthdays, pet names, addresses) Beginner
Information about you is surprisingly easy to find through social media, public records, and data brokers. Passwords based on personal details can be guessed by attackers who research their targets. Use randomly generated passwords from your password manager instead. Beginner
Authentication Practices
Two-factor authentication is enabled on all accounts that support it Beginner
MFA is the single most effective defense against unauthorized access. Enable it on every account that offers it, starting with email, banking, and social media. See our MFA guide for step-by-step instructions. Beginner
You prefer authenticator apps or hardware keys over SMS for 2FA codes Intermediate
SMS-based codes can be intercepted through SIM swapping attacks, where an attacker convinces your carrier to transfer your number. Authenticator apps generate codes locally on your device, and hardware keys like YubiKey provide the strongest protection against phishing. Intermediate
You have backup codes stored securely for your most important accounts Intermediate
If you lose your phone or hardware key, backup codes are your emergency access method. Store them in your password manager or print them and keep them in a secure physical location like a safe. Without backup codes, losing your 2FA device could permanently lock you out. Intermediate
You have reviewed and removed third-party app connections you no longer use Beginner
Over time, you accumulate third-party apps with access to your accounts — "Sign in with Google" connections, OAuth grants, and API tokens. Each one is a potential entry point. Review connected apps in your account settings and revoke access for anything you no longer use. Beginner
You receive login notifications or alerts for your important accounts Beginner
Login alerts notify you immediately when someone accesses your account from a new device or location. This early warning allows you to take action quickly if an unauthorized login occurs. Enable these notifications in the security settings of your most important accounts. Beginner
You review active sessions periodically and log out from devices you no longer use Intermediate
Old sessions on devices you have sold, given away, or simply stopped using can remain active indefinitely. Check the active sessions list in your account security settings and revoke access for any device or location you do not recognize or no longer use. Intermediate
You use passkeys where available as a phishing-resistant authentication method Advanced
Passkeys are a newer authentication method that replaces passwords entirely with cryptographic keys tied to your device. They are virtually immune to phishing because they only work on the legitimate website. Major services like Google, Apple, and Microsoft now support passkeys — enable them where available. Advanced
Data Backup Assessment
Backups are your safety net. Whether it is a ransomware attack, a device failure, an accidental deletion, or a natural disaster, reliable backups ensure that your important data is never truly lost. Yet many people either do not back up at all or have backups they have never tested.
Backup Coverage
You have identified your most important files and data (documents, photos, financial records) Beginner
Before you can back up effectively, you need to know what matters most. Make a list of irreplaceable files — family photos, tax documents, legal records, creative work. This prioritization ensures your most critical data is protected first. A digital audit can help you catalog everything. Beginner
Your important data is backed up in at least two separate locations Beginner
A single backup is a single point of failure. If your backup drive fails or your cloud account is compromised, you lose everything. Having at least two separate backup locations — such as an external drive and a cloud service — provides meaningful redundancy. Beginner
You follow the 3-2-1 rule: three copies of your data, on two different types of media, with one copy stored offsite or in the cloud Intermediate
The 3-2-1 rule is the gold standard for backup strategy. Three copies means your original plus two backups. Two different media types (e.g., internal drive and external drive, or local drive and cloud) protects against media-specific failures. One offsite copy protects against physical disasters like fire or theft. Intermediate
Your backups run automatically on a regular schedule Beginner
Manual backups are backups that do not happen. Set up automatic backup schedules so your data is continuously protected without relying on you to remember. Most backup software and cloud services support scheduled or continuous backup options. Beginner
Your cloud backup service encrypts your data both in transit and at rest Intermediate
Encryption in transit protects your data while it is being uploaded to the cloud. Encryption at rest protects it while stored on the provider's servers. Verify that your backup service provides both, and consider services that offer zero-knowledge encryption where even the provider cannot read your data. Intermediate
Your local backup drive is encrypted Intermediate
An unencrypted backup drive is a liability if it is lost or stolen — it contains a complete copy of your most important files. Enable encryption on your backup drive using FileVault (Mac), BitLocker (Windows), or LUKS (Linux) to ensure the data is unreadable without your credentials. Intermediate
Backup Reliability
You have actually tested restoring files from your backup within the past six months Intermediate
A backup you have never tested is a backup you cannot trust. Regularly restore a few files to confirm that your backup process works correctly and that your data is intact. Many people discover their backups are corrupted or incomplete only when they need them most. Intermediate
Your backup includes application settings and configurations, not just files Intermediate
Reinstalling applications is time-consuming, but reconfiguring them is even worse. Back up application preferences, browser bookmarks, and system settings so you can restore your full working environment, not just your documents. Intermediate
Your phone's photos and contacts are backed up automatically Beginner
Photos and contacts are often irreplaceable. Enable automatic cloud backup through iCloud, Google Photos, or a similar service so that new photos and contact changes are continuously protected without any manual effort. Beginner
Your password manager data is backed up or synced across devices Beginner
Your password manager holds the keys to your entire digital life. Ensure it syncs across your devices and that the provider maintains encrypted backups. Consider exporting an encrypted backup periodically as an additional safeguard. Beginner
You have a documented plan for restoring your digital life if your primary device is lost or destroyed Advanced
If your laptop were stolen tomorrow, would you know exactly what to do? Write down the steps: which accounts to secure first, where your backups are stored, what credentials you need to access them, and who to contact. Store this plan somewhere accessible even without your primary device. Advanced
Your backup storage has sufficient space and is not full or nearly full Beginner
A full backup drive silently stops protecting you. Check your backup storage regularly — both local drives and cloud storage — to ensure there is adequate free space. Set up notifications or reminders to monitor storage capacity. Beginner
Scoring Your Results
Go back through each section and count how many checklist items you were able to check off. Use the following guide to assess your overall security posture:
How to Interpret Your Score
90% or above — Strong — You have excellent security practices in place. Focus on the remaining gaps and maintaining your current posture. Consider helping family members improve their security as well.
70% to 89% — Good — You have solid fundamentals, but there are meaningful gaps that could be exploited. Review the items you missed and prioritize those in the email and account security sections first.
50% to 69% — Fair — You have some protections in place, but significant vulnerabilities remain. Start with the core protections in each section — strong unique passwords, two-factor authentication, and device updates.
Below 50% — Needs Attention — Your digital life has substantial security gaps. Do not be discouraged — everyone starts somewhere. Focus on three high-impact changes: set up a password manager, enable 2FA on your email, and update your devices.
Quick Security Assessment
Want a quick evaluation of your security habits? Take this short assessment to identify your biggest areas for improvement.
0 of 8 questions answered
1. How do you manage your passwords?
2. Do you use multi-factor authentication (MFA)?
3. When did you last update your device software (phone, computer)?
4. How do you handle emails or messages asking you to click a link or verify your account?
5. Do you back up your important data?
6. How do you approach public WiFi?
7. Have you reviewed your social media privacy settings?
8. How many online accounts do you have that you no longer use?
This assessment runs entirely in your browser. No data is collected or stored.
Priority Actions by Score Range
Regardless of your score, these three actions provide the greatest security improvement for the least effort:
Enable two-factor authentication on your email — This single step dramatically reduces the risk of your most important account being compromised.
Start using a password manager — This eliminates password reuse, which is the most common way accounts get breached through credential stuffing attacks.
Update all your devices — Software updates patch known security vulnerabilities that attackers actively exploit.
Next Steps
Your security check results give you a roadmap for improvement. Here is where to go next:
Password Checker — Evaluate the strength of your specific passwords and learn what makes them resistant to attack.
Protect — Access detailed, step-by-step guides for implementing the security measures in this checklist.
Digital Audit — If you have not done so yet, complete a full audit of your digital presence to ensure nothing is overlooked.
Learn — Deepen your understanding of the security principles behind these practices.