Most password trouble does not start with a dramatic hack scene. It usually starts with one old password that was reused on a shopping site, a personal email account, a vendor portal, or an employee’s work login. Once that password appears in a data breach, attackers try it everywhere else.
Today’s practical tech tip: spend 15 minutes running the password health check built into the password manager you already use, then fix the most dangerous items first. For a home user, this can protect email, banking, and social accounts. For a small business, it can reduce the chance that one exposed password turns into a payroll, Microsoft 365, Google Workspace, QuickBooks, website, or vendor-account problem.
Why This Is Worth Doing Today
Modern browsers and operating systems can flag saved passwords that are compromised, reused, or weak. Google Password Manager includes a Password Checkup feature for saved passwords. Apple Passwords shows security recommendations for weak, reused, and compromised passwords. Microsoft Edge includes Password Monitor and a password security check for leaked, reused, and weak saved passwords. The FTC also recommends using strong, unique passwords and a password manager instead of reusing the same login across accounts.
The important part is not just seeing the warning. The important part is turning that warning into a short cleanup session with priorities.
Step 1: Open Your Password Health Check
Use the path that matches where you actually save passwords most often:
- Google Chrome or Google Password Manager: open Chrome, go to Passwords and autofill, open Google Password Manager, then run Checkup. Google’s help page explains how to check saved passwords in Chrome on a computer.
- iPhone or iPad: open the Passwords app, tap Security, then review weak or compromised accounts. Apple documents the process for changing weak or compromised passwords on iPhone.
- Mac: open the Passwords app, click Security in the sidebar, then review listed accounts. Apple also has separate guidance for Password security recommendations on Mac.
- Microsoft Edge: open Edge settings, go to Passwords and autofill, then Microsoft Password Manager and Password security check. Microsoft explains the Edge password health indicator and its leaked, reused, and weak categories.
If you use a dedicated password manager such as 1Password, Bitwarden, Keeper, Dashlane, or another business password vault, look for a security dashboard, watchtower, health report, breach report, or reused-password report. The labels differ, but the goal is the same.
Step 2: Fix Compromised Passwords First
Start with anything marked compromised, leaked, or found in a data breach. Treat those as urgent, especially if the account is tied to email, banking, payroll, taxes, cloud storage, your website, domain registration, Microsoft 365, Google Workspace, remote access, or customer data.
- Open the account’s real website or app directly. Do not change passwords through a link in a random email or text message.
- Change the password to a new, unique password generated by your password manager.
- Make sure the new password saved correctly in the password manager.
- Sign out of old sessions if the account offers that option.
- Turn on multi-factor authentication if it is available, especially for email, finance, business administration, and cloud accounts.
Do not make small variations of the old password. If Summer2024! was exposed, Summer2026! is not a meaningful fix. Let the password manager create something long and random.
Step 3: Fix Reused Passwords Next
Reused passwords are dangerous because one weak site can become the doorway to stronger sites. If a personal account and a business account share the same password, fix the business account first, then the email account used for password resets, then financial and vendor accounts.
A good cleanup order for small businesses is:
- Email and Microsoft 365 or Google Workspace administrator accounts
- Banking, payroll, accounting, tax, and payment-processing accounts
- Domain registrar, website hosting, WordPress, DNS, and marketing accounts
- Remote access, VPN, firewall, router, camera, and line-of-business software accounts
- Shared vendor portals and employee accounts that may have been copied from one person to another
The FTC’s consumer guidance is blunt about the risk: do not reuse passwords, because a password stolen from one account can be tried against other accounts. The FTC also recommends using a password manager and two-factor authentication where available. See the FTC’s pages on protecting personal information from hackers and scammers and using two-factor authentication.
Step 4: Clean Up Weak, Old, And Unknown Saved Logins
After compromised and reused passwords, review weak passwords and old saved logins. This is where many people find abandoned accounts, duplicate entries, former employee accounts, test accounts, and saved passwords for sites they no longer use.
- If the account still matters, change it to a unique password and enable multi-factor authentication.
- If the account is no longer needed, close it if practical, or at least remove saved payment information and personal details from it.
- If the password manager has duplicate entries for the same site, keep the working one and remove stale copies after verifying you can sign in.
- If a login belongs to a former employee, vendor, or old shared mailbox, do not ignore it. That is a business access-control issue, not just a password cleanup item.
What Can Go Wrong
Password cleanup is simple, but a few mistakes can cause real headaches:
- Changing the wrong account: Some websites have personal and business logins that look similar. Confirm the username and email before changing anything.
- Losing access to the password manager: Know how to recover your password vault before relying on it completely. For businesses, make sure at least two trusted administrators can manage the company vault.
- Breaking shared workflows: If several employees use one shared login, changing the password without communication can interrupt operations. A better fix may be separate named accounts with proper permissions.
- Ignoring MFA prompts: A new password helps, but multi-factor authentication is what often stops an attacker who already has a password.
- Trusting fake alerts: Password breach warnings should be reviewed inside your browser, operating system, or password manager. Do not enter passwords into a site because a pop-up, text message, or email told you to.
When To Call An IT Professional
Call for help if a password check shows compromised credentials for business email, administrator accounts, remote access, banking, payroll, point-of-sale systems, website administration, domain registration, or any account that stores customer data. Also call if an employee account still works after someone has left, if you see sign-ins from unfamiliar locations, or if you are not sure which accounts control your business systems.
For a small business, a password cleanup is also a good time to set a real policy: unique passwords, a company password manager, multi-factor authentication, named accounts instead of shared logins, and a quarterly review of administrator access.
The 15-Minute Version
- Open your password manager’s security check.
- Fix compromised passwords first.
- Fix reused passwords on email, banking, business admin, and vendor accounts next.
- Enable multi-factor authentication on important accounts.
- Remove stale saved passwords after confirming they are no longer needed.
- Put a reminder on the calendar to repeat the check next month.
A password health check is not glamorous, but it is one of the fastest ways to reduce account-takeover risk without buying anything new. If you need help cleaning up passwords, setting up a business password manager, or turning on multi-factor authentication without disrupting the workday, The IT Guys can help you make the change cleanly.