Who this is for: Anyone who uses a phone, laptop, and tablet — and wants them secured with the same standards. If you've locked down one device but the others are still exposed, this audit closes every gap.
How to use it: Work through each category. Check off items as you complete them. Your progress saves automatically — come back anytime. Most people finish in 45–60 minutes.
Account & Password Sync
6 items
Install the same password manager on all devices
Use one password manager (1Password, Bitwarden, or Proton Pass) across phone, laptop, and tablet. Install the native app AND browser extension on each. This ensures every device pulls from the same vault — no more "I saved that password on my phone."
Enable biometric unlock on every device
Face ID, Touch ID, or fingerprint — whatever your device supports. This protects your password vault even if someone gets physical access. On laptops, enable both OS-level biometrics and the password manager's biometric unlock. Never rely solely on a master password.
Sync 2FA authenticator across all devices
Use an authenticator that supports cloud backup: Authy, Google Authenticator (with Google account backup), or 1Password's built-in TOTP. If you only have 2FA codes on one phone and it's lost, you're locked out of everything. Back up your 2FA seeds on at least two devices.
Check Have I Been Pwned for all email addresses
Visit haveibeenpwned.com and check every email you use. As of 2025, over 14 billion accounts have been exposed in breaches. If your email appears, change that password immediately on every device where it's saved. Set up breach notifications for ongoing monitoring.
Enable 2FA on all critical accounts (email, banking, social)
Priority order: email (most critical — it's the recovery key for everything), banking/investment accounts, social media, cloud storage. Use authenticator app or hardware key — never SMS 2FA for high-value accounts. SIM swap attacks increased 400% between 2021–2024.
Review and revoke unused app passwords and OAuth tokens
Check your Google, Apple, and Microsoft account security pages. Revoke access for apps you no longer use. Each connected app is a potential attack vector. Do this on your laptop where it's easiest to review the full list — the changes sync across all devices automatically.
Device Encryption & Lock Screen
6 items
Verify full-disk encryption is active on all devices
iPhone/iPad: FileVault equivalent is automatic when a passcode is set. Android: Settings → Security → Encryption (enabled by default on Android 10+). Windows: Check BitLocker status (Control Panel → BitLocker). Mac: System Settings → Privacy & Security → FileVault. Without encryption, a stolen device means your data is fully readable.
Set lock screen timeout to 1 minute or less on all devices
An unlocked device is an open vault. Set auto-lock to 60 seconds maximum — 30 seconds on phones. On iPhone: Settings → Display → Auto-Lock. On Android: Settings → Display → Screen Timeout. On Mac/Windows: Power & Sleep settings. This one setting prevents the majority of physical-access attacks.
Disable lock screen notifications with sensitive content
Your phone sitting on a table displays bank alerts, 2FA codes, and private messages — visible to anyone nearby. Set notifications to hide content on lock screen: iPhone → Notifications → Show Previews → When Unlocked. Android → Notifications → on lock screen → Hide sensitive content. This stops shoulder surfing and casual snooping.
Enable Find My Device / Find My on every device
iPhone: Settings → [Your Name] → Find My → Find My iPhone (enable all three options including Send Last Location). Android: Settings → Security → Find My Device. Mac: System Settings → Apple ID → Find My. Windows: Settings → Find My Device. This gives you remote lock and wipe capability — critical if a device is stolen.
Test remote wipe capability
Don't wait until a device is stolen to learn how remote wipe works. Log into icloud.com/find or google.com/android/find from another device. Verify you can see all devices. Practice the remote lock command (don't actually wipe). Know your Apple ID / Google credentials by heart — you'll need them under stress.
Set a strong alphanumeric passcode on phone (not just 4 digits)
A 4-digit PIN has 10,000 combinations — brute-forceable in under 30 minutes with the right hardware. Switch to a 6-digit minimum, or better yet an alphanumeric passcode. iPhone: Settings → Face ID & Passcode → Change Passcode → Passcode Options → Custom Alphanumeric. This is your last line of defense if biometrics fail.
Network & Sync Security
6 items
Configure automatic VPN on untrusted networks (all devices)
Install one VPN on every device and enable auto-connect for public WiFi. Recommended: Mullvad, Proton VPN, or IVPN. On phones, enable "connect on untrusted networks." On laptops, set the VPN to start at login. Public WiFi at coffee shops, airports, and hotels is routinely monitored — your traffic should always be encrypted.
Verify DNS-over-HTTPS or DNS-over-TLS is enabled
Standard DNS queries are unencrypted — anyone on your network can see every website you visit. Enable DoH/DoT: Chrome → Privacy → Use Secure DNS. Firefox → Enable DNS over HTTPS. iPhone → Settings → Wi-Fi → Configure DNS → Automatic (uses DoH on iOS 14+). Use a privacy-focused DNS like NextDNS or Quad9.
Turn off auto-join for public WiFi networks
Your devices remember every WiFi network you've joined. Attackers can create fake hotspots with the same name ("Starbucks WiFi") and your device connects automatically. Forget old networks: iPhone → Wi-Fi → tap (i) → Forget This Network. Do this on every device. Only auto-join your home and work networks.
Disable Bluetooth when not actively using it
Bluetooth has a history of vulnerabilities (BlueBorne, KNOB attack, BLUFFS). When you're not using headphones, AirDrop, or a smartwatch, turn Bluetooth off. On phones, at minimum disable Bluetooth discoverable mode. On laptops, disable Bluetooth at the OS level when not needed — don't just disconnect devices.
Audit cloud sync: know exactly what syncs where
Check iCloud, Google Drive, OneDrive, and Dropbox settings on each device. Know what folders sync. Disable sync for sensitive folders you don't need on every device. A stolen laptop shouldn't automatically download your entire photo library and financial documents. Review sync settings quarterly.
Enable HTTPS-Only mode in all browsers on all devices
Firefox: Settings → Privacy → HTTPS-Only Mode → Enable in all windows. Chrome: chrome://flags → HTTPS-Only Mode → Enabled. Edge: Settings → Privacy → Automatically switch to HTTPS. This blocks unencrypted connections that can be intercepted. Set this on every browser on every device — including mobile browsers.
Updates, Backups & Ongoing Hygiene
6 items
Enable automatic OS updates on all devices
Unpatched devices are the #1 attack vector for known exploits. iPhone: Settings → General → Software Update → Automatic Updates (enable all). Android: Settings → System → System Update → Auto-download. Mac: System Settings → General → Software Update → Automatic. Windows: Settings → Windows Update → Automatic. Restart promptly when updates require it.
Enable automatic app updates on all devices
Apps with security vulnerabilities are patched through updates. If you're not updating, you're running known-exploitable code. iPhone: Settings → App Store → App Updates (on). Android: Play Store → Settings → Auto-update apps. Mac: System Settings → General → Automatic Updates → Install app updates. Check monthly that updates are actually applying.
Set up encrypted backups for all devices
iPhone: iCloud backup (automatic, encrypted by default) or encrypted local backup via Finder/iTunes. Android: Google One backup. Mac: Time Machine to an encrypted external drive. Windows: File History or a third-party backup to encrypted storage. Test restoring from backup at least once — a backup you can't restore is worthless.
Review app permissions on all devices (location, camera, mic, contacts)
iPhone: Settings → Privacy → review each category. Android: Settings → Privacy → Permission Manager. Mac: System Settings → Privacy. Windows: Settings → Privacy & Security. Revoke camera/microphone access for apps that don't need it. Revoke location access for apps that only need it once. This is a quarterly task — set a calendar reminder.
Remove unused apps from all devices
Every app is a potential vulnerability surface. If you haven't used an app in 90 days, delete it. You can always reinstall. Focus especially on apps with broad permissions (file managers, keyboard apps, utilities). Abandoned apps don't get security updates but still have access to your data. Be ruthless — your phone isn't a museum.
Set a monthly 15-minute security check reminder
Security is not a one-time setup — it's maintenance. Set a recurring calendar event: "15-min security check." Review: new breaches at haveibeenpwned.com, pending OS updates, new app permissions, VPN still active, password manager synced. This single habit prevents 95% of security drift. Do it on the 1st of every month.
Audit Complete — You're Locked Down
All 24 checks passed. Every device you own is now secured with consistent standards. Your monthly 15-minute check will keep it that way.
Go Deeper: Related Guides
Password Manager Setup: Complete Walkthrough
Step-by-step for 1Password, Bitwarden, and Proton Pass — with migration from browser storage.
The Weekend Security Lockdown
Protect everything in 4 hours. Passwords, 2FA, privacy settings, and breach response — all in one session.
VPN Selection Guide: What Actually Matters
Jurisdiction, logging policies, speed, and the 3 providers we trust. Based on 18 months of testing.
Data Broker Removal: Delete Your Info from 50+ Sites
Your name, address, phone, and family members are listed publicly. Here's how to remove them — free or paid.
Family Digital Safety Blueprint
Protecting kids, parents, and shared accounts. Age-appropriate controls and the conversations that matter.