Most people set up a password manager, feel good about it, and never open the health reports. The weak passwords they imported from Chrome in 2021 are still in there. The reused credentials spread across five accounts are still in there. The manager organized the problem — it didn't fix it.
Running an audit takes 30 minutes. Here's how to do one that actually finds something.
What you need to know:
- Breached passwords are the highest priority — if a password appears in a known data dump, change it before you do anything else. It's already on attacker lists.
- Reused passwords are the second-highest risk. One breach anywhere in that group exposes every account sharing that password.
- Bitwarden's Exposed Passwords report uses k-anonymity via Have I Been Pwned — your actual password never leaves your device. The check is genuinely privacy-preserving.
- 1Password Watchtower flags accounts where passkeys are now available — useful if you're working through a passwordless upgrade.
- Stale entries don't show up in automated reports. Forgotten accounts and defunct services are still open and still attached to your email address. Pruning them is attack surface reduction.
I run this audit quarterly across Bitwarden and 1Password and track what the reports actually surface. The priority order below comes from doing this in practice, not from a generic checklist.
What You're Looking For
Four categories of problems, in rough order of urgency:
Breached passwords — the password itself appeared in a known data dump. This doesn't mean your account was definitely compromised, but the password is now on lists that attackers run against login forms constantly.
Reused passwords — one password used across multiple accounts. One breach anywhere in that group means every account sharing that password is now exposed. This is how most account takeovers actually happen — not sophisticated attacks, just credential stuffing with lists from previous breaches.
Weak passwords — short, dictionary-based, or predictable patterns. These fall to brute force and targeted guessing. Lower urgency than the above two, but worth fixing while you're in the vault.
Accounts that should use passkeys — sites that added passkey support after you created the account. Worth upgrading as you go. The passwordless guide covers how passkeys work and where they're available.
There's a fifth category that doesn't show up in automated reports: stale entries. Accounts you haven't used in years, services that no longer exist, test credentials left behind. They're noise at best, attack surface at worst — and breaches like the LastPass incident are a reminder that even data you've forgotten about can end up exposed.
Bitwarden: Running the Reports
If you use Bitwarden, the health reports live under Reports in the left sidebar (web vault or desktop app). You need a Premium account or a paid organization plan for most of them — the exception is the Data Breach report, which is free for everyone.
Exposed Passwords is the one to run first.
It sends the first five characters of each password's SHA-1 hash to Have I Been Pwned — Troy Hunt's breach database, now indexing over 12 billion records from known data dumps. The HIBP server returns all hashes that match that 5-character prefix (roughly 800 on average), and Bitwarden compares your full hash locally. Your actual password never leaves your device. That's k-anonymity — the check is genuinely privacy-preserving.
If a password shows up as exposed: change it. Even if you haven't seen any sign of account compromise, the password is on lists being tested against login forms constantly.
Reused Passwords runs entirely locally — no network request, no data sent anywhere. It flags any password used in more than one entry. Work through this list from highest-stakes accounts downward: email first, then financial accounts, then anything identity-linked.
Weak Passwords is also local-only. Bitwarden flags predictable patterns, short passwords, dictionary words. These are lower urgency than breached or reused, but fix them while you're in here.
Unsecured Websites flags entries whose saved URL uses HTTP rather than HTTPS. Worth a scan — if the site still runs on plain HTTP in 2026, that's worth knowing.
Inactive 2FA lists accounts where Bitwarden can detect that 2FA isn't enabled. It doesn't catch everything — not all sites expose this information — but it's a useful prompt. Note that 2FA alone has real limits; this report is a starting point, not a comprehensive coverage check.
1Password: Watchtower
In 1Password, the equivalent feature is Watchtower. Open any vault, select Watchtower from the sidebar. It gives you a numeric security score — more useful as a before/after comparison than an absolute benchmark — and breaks down vulnerabilities into the same categories: compromised, reused, weak, vulnerable websites.
One thing Watchtower does that Bitwarden's reports don't: it flags accounts where passkeys are now available. If you've been working through passkey authentication, this is your shortcut — it surfaces the accounts where you can actually make the switch without hunting through every saved login manually.
The Practical Audit Process
Don't try to fix everything at once. You will burn out and stop.
Start with Exposed Passwords. These are active risks. Change every flagged password before you do anything else. Use the password generator — let the manager create a 20-character random string, save it, move on. One account at a time.
Order of priority for changes:
- Email accounts (compromised email = compromised everything else that uses password reset)
- Financial accounts — banks, brokerages, payment processors
- Identity accounts — anything linked to your SSN, passport, government login
- Password manager account itself if it appears (change immediately)
- Everything else, by frequency of use
Then run Reused Passwords. The goal is straightforward: every account should have a unique password. If you have 40 entries sharing three passwords, you don't fix all 40 in one sitting. Pick the highest-value accounts from the list and work through them over a week.
Weak passwords last. Worth fixing, but rarely the immediate risk that breached or reused passwords are.
Pruning Stale Entries
This gets skipped in most audit guides. It shouldn't.
Open the full vault list and sort by "last used" or scroll through looking for services you don't recognize. For each stale entry, make a call:
- Still active, you just don't use it: Delete the saved entry, then go actually close the account at the service. An account you don't use can still be compromised, used to reset linked accounts, or have a credit card attached to it.
- Service no longer exists: Delete the entry.
- Uncertain: Flag it, check if the site loads, then decide.
Dead accounts sitting open are a quiet risk. The username and email address are already out there from whatever breach first exposed them. Closing the account removes the attack surface.
Manual HIBP Check
Even if you don't use a password manager with built-in breach reports, you can check your email addresses directly at haveibeenpwned.com. It's free, instant, and tells you which specific breaches included your email address — and sometimes what data types were exposed (email, password, phone, physical address).
Sign up for breach notifications while you're there. When your email appears in a new breach, HIBP sends an alert. It won't catch everything, but it's a useful early-warning layer that costs nothing.
Setting a Recurring Schedule
A one-time audit is fine. A recurring one is what actually keeps things clean.
Quarterly is the practical cadence for most people — enough time that new breaches will have surfaced, not so frequent that it becomes a chore. Set a calendar reminder. The second audit takes half the time of the first because you're maintaining rather than overhauling.
If you're using a YubiKey or hardware security key on your most important accounts, add a check to that audit: confirm the key is still registered on every critical account, and verify the backup code is stored somewhere offline.
The Bitwarden 2025 State of Password Security report found that password reuse remains widespread even among people who use a password manager. The manager makes it easy to fix. Most people just don't run the reports.
An audit doesn't require security expertise. It requires 30 minutes and the willingness to actually change the passwords it finds.
