Personal Security & OPSEC

Interactive companion to Lissy93's Personal Security Checklist and Digital Defense. 9 domains, 59 curated actions — click any item to cycle unset → covered → partial → gap → n/a.

Reference only — not legal or professional advice. Pairs with /dfir/privacy (live browser fingerprinting scan), /dfir/privacy-hub (regulatory regimes) and /threatintel/external-resources (the source list).

Overall OPSEC posture

0%Poor

0/59 weighted • 31 open critical / high gaps

Account & Identity Hygiene

0/10 covered · 0%

The cheapest compromise in 2026 is still credential reuse + weak MFA. Lock down the most exposed accounts first: primary email, password manager, banking, and any account with password-reset authority over those.

10 actions

criticalUse a password manager
Generate and store every password in a reputable password manager. Memorise the master password and the recovery key — never type either into a webpage, email, or chat.
Bitwarden 1Password
criticalNo password reuse across sites
Every account uses a unique password. A breach on one site must not cascade. Most password managers have an audit / reuse-report — fix the top 10 reused first.
highAdopt passkeys on supported services
Where supported (Google, Apple, Microsoft, GitHub, many banks), prefer a passkey over a password. Phishing-resistant by design — the key only works on the registered origin.
criticalHardware-key MFA on email + password manager + banking
FIDO2 / WebAuthn hardware keys (YubiKey, Token2, Solokey) on the three accounts that own your digital life. SMS and TOTP are better than nothing; hardware keys defeat SIM-swap and AiTM phishing.
YubiKey FIDO Alliance
highMFA enabled on every account that offers it
App-based TOTP (Authy, Aegis, Raivo) or hardware key. Avoid SMS as the only second factor where TOTP is available.
highRecovery codes stored offline
Print or write down the one-time recovery codes for primary email, password manager, and any account you cannot afford to lose. Store them in a fireproof envelope or safe — not in cloud notes.
mediumAudit email forwarding + delegated access
Check Gmail/Outlook/Proton for active IMAP/POP, third-party app grants, and forwarding rules. Revoke anything you do not actively use. Attackers persist by adding a quiet forwarding rule.
highLock / freeze credit bureaus
Free credit freeze at Equifax, Experian, TransUnion (US) or equivalent. Cheaper and stronger than credit-monitoring — freezes block new account opening outright. Lift temporarily when applying for credit.
mediumSubscribe to breach notifications
Sign up at haveibeenpwned.com for every email you actively use. Treat every notification as a forced password change + MFA check on the affected account.
Have I Been Pwned
mediumRevoke unused OAuth / social-login grants
Review Google "Third-party apps with account access" and the equivalent in Apple, Microsoft, Facebook. Revoke anything dormant for 90+ days.

Highest-priority open gaps (31)

critical— unsetUse a password manager· Accounts
Generate and store every password in a reputable password manager. Memorise the master password and the recovery key — never type either into a webpage, email, or chat.
critical— unsetNo password reuse across sites· Accounts
Every account uses a unique password. A breach on one site must not cascade. Most password managers have an audit / reuse-report — fix the top 10 reused first.
critical— unsetHardware-key MFA on email + password manager + banking· Accounts
FIDO2 / WebAuthn hardware keys (YubiKey, Token2, Solokey) on the three accounts that own your digital life. SMS and TOTP are better than nothing; hardware keys defeat SIM-swap and AiTM phishing.
critical— unsetFull-disk encryption on every device· Devices
BitLocker (Windows), FileVault (macOS), LUKS (Linux), default since Android 6 / iOS 8. Verify the recovery key is stored offline — not just in your password manager.
critical— unsetAuto-updates enabled for OS + firmware· Devices
Operating system, browser, firmware/UEFI where available. Attackers favour the gap between disclosure and patch adoption.
critical— unsetLock the screen every time you step away· Physical
Win+L, Ctrl+Cmd+Q, or a hot-corner. "Just a second" is enough for a casual shoulder-surf or a USB Rubber Ducky.
critical— unsetSelf-search for your name, email, phone, address· OPSEC
In all the major engines, in quotes, in image search, and in people-search aggregators (Pipl, Spokeo, Whitepages). What shows up is what an attacker, stalker, or recruiter sees.
critical— unsetDo not paste sensitive data into public AI chats· OPSEC
API keys, customer data, source code under NDA, internal documents. Most AI providers retain inputs for training or review. Use local models (Ollama, LM Studio) for sensitive analysis.
high— unsetAdopt passkeys on supported services· Accounts
Where supported (Google, Apple, Microsoft, GitHub, many banks), prefer a passkey over a password. Phishing-resistant by design — the key only works on the registered origin.
high— unsetMFA enabled on every account that offers it· Accounts
App-based TOTP (Authy, Aegis, Raivo) or hardware key. Avoid SMS as the only second factor where TOTP is available.
high— unsetRecovery codes stored offline· Accounts
Print or write down the one-time recovery codes for primary email, password manager, and any account you cannot afford to lose. Store them in a fireproof envelope or safe — not in cloud notes.
high— unsetLock / freeze credit bureaus· Accounts
Free credit freeze at Equifax, Experian, TransUnion (US) or equivalent. Cheaper and stronger than credit-monitoring — freezes block new account opening outright. Lift temporarily when applying for credit.

Scoring legend

✓ covered — fully implemented and tested
~ partial — half-done or untested (counts 0.5×)
✗ gap — known not done, on the to-do list
n/a — not applicable to your situation

Personal Security & OPSEC

Account & Identity Hygiene

10 actions

Highest-priority open gaps (31)

Scoring legend

Authoritative sources