checklist
Password Lockdown Checklist
A practical guide to securing passwords and locking down important accounts.
checklistpasswords
SAFETY & PRIVACY
Password Lockdown Checklist
Priority Accounts First
Consider updating passwords in order of impact if someone gained access.
- Device access
- Phone lock screen (PIN, pattern, or passcode)
- Tablet and laptop login passwords
- Any shared home computer profiles
- Primary communication
- Main email accounts (personal and work, if appropriate)
- Messaging accounts (e.g., text backup services, encrypted apps, social messaging)
- Cloud accounts that sync contacts and messages
- Safety‑related and identity accounts
- Accounts where you store documentation or evidence
- Cloud storage services (photos, files, backups)
- Government portals or ID services, if used
- Financial and access accounts
- Banking and credit card accounts
- Payment apps and online shopping accounts
- Mobile phone account, internet account, utilities portals
- Location and smart‑home
- Accounts that control GPS/location sharing
- Smart‑home devices, cameras, locks, thermostats
- Car apps or services with location or remote control
- Social and other online accounts
- Social media and photo sharing platforms
- Video calls and meeting platforms
- Any account linked to your real name or phone number
For each account, you can note the date you changed the password and whether 2FA is turned on.
Password Rules
Options for strengthening passwords while keeping them memorable for you.
- Avoid easily guessed details
- Do not use names, nicknames, or initials of partners, children, or pets
- Avoid birthdays, anniversaries, addresses, or phone numbers
- Avoid words or phrases an abusive person knows you use often
- Use length and variation
- Aim for at least 12–16 characters when possible
- Mix lowercase, UPPERCASE, numbers, and symbols
- Consider using a long passphrase that only makes sense to you
- Make each password unique
- Do not reuse passwords across important accounts
- If reusing is unavoidable, avoid reusing for email, banking, or phone accounts
- Change any passwords you know were shared, guessed, or exposed
- Consider a pattern that only you know
- Create a base phrase known only to you
- Add account‑specific elements (e.g., first and last letters of the service name)
- Avoid patterns the other person might guess from your habits
- Storage choices
- Decide whether to use a password manager, written list, or memorized system
- If written down, store the list somewhere the other person cannot access
- If using a password manager, secure it with a strong, unique master password
2FA Setup
Two‑factor authentication (2FA) adds a second step to logging in, beyond a password.
- Decide which 2FA method is safer in your situation
- Text message codes to a phone number only you control
- Authenticator apps (e.g., time‑based codes on your phone)
- Physical security keys, if you have access to them
- Before turning on 2FA, check:
- Who pays for and controls your phone number and device
- Whether the other person knows or monitors your phone PIN
- Whether your phone account password is secured first
- Turn on 2FA on high‑risk accounts first
- Main email accounts (these can reset most other logins)
- Phone account provider and cloud backup service
- Banking, payment, and shopping accounts
- Social media accounts that reveal your location or connections
- Review 2FA delivery settings
- Confirm codes go to a secure device or app
- Remove any phone numbers or devices you do not control
- Turn off 2FA methods that send codes to a shared email or phone
- Check “trusted devices” and sessions
- Review lists of devices that can log in without 2FA
- Remove any devices, browsers, or locations you do not recognize
- Consider revoking all sessions so logins start fresh
Backup Codes
Many accounts provide backup or recovery codes in case you lose access to 2FA.
- Locate backup code options
- Check your account’s security or login settings
- Generate backup codes for email, banking, and key apps
- Confirm how many codes you get and how often you can replace them
- Store backup codes safely
- Options: printed paper, secure notes, password manager
- Keep physical copies somewhere the other person cannot access
- Avoid saving codes in email or cloud notes the person can see
- Track usage
- Note which codes have already been used
- Regenerate a new set of backup codes after several are used or exposed
- Shred or securely delete old lists of backup codes
- Plan for emergencies
- Decide where you could safely access your backup codes if you are away from home
- Consider a sealed copy with a trusted person, if safe in your situation
- Check whether your plan depends on any device or location the other person controls
Recovery Email Strategies
Many accounts use a recovery email to reset passwords or receive alerts.
- Audit existing recovery settings
- Review recovery email addresses connected to key accounts
- Remove any recovery addresses the other person can access
- Update old or unused recovery emails that you no longer control
- Set up a safer recovery email (if helpful)
- Create a separate email used only for account recovery
- Use a strong, unique password and 2FA on this recovery email
- Avoid obvious addresses that include your full name or common nicknames
- Limit visibility and notifications
- Turn off lock‑screen previews for recovery email notifications on shared devices
- Check whether login alerts are being forwarded or shared
- Adjust notification settings so sensitive alerts do not appear openly
- Phone number and backup options
- Check if your accounts use a phone number as an extra recovery option
- Remove numbers that are on shared plans or devices
- Update to a number under your control only, if that is available and safe
- Document your setup
- Keep a simple record of which recovery email is tied to which account
- Note any accounts that still rely on shared or less secure recovery options
- Review this list regularly as part of your overall digital safety plan
For broader digital safety planning and connection to professional supports, some people review technology and privacy resources listed at DV.Support.