Export and Analyze Your Current Passwords
Most password managers offer an audit or security dashboard feature that automatically identifies reused, weak, and breached passwords. If you're not yet using a manager, export your browser's saved passwords and review them. Look for any password used on more than one site, any under 12 characters, and any based on dictionary words.
Check Against Breach Databases
Have I Been Pwned's password checking tool lets you test whether a specific password has appeared in any known breach. It uses a k-anonymity technique: you send a hash prefix, not the actual password. Your password manager may offer built-in breach checking using the same API.
Prioritize High-Value Accounts
Not all accounts are equally important. Start with high-priority targets: email (controls password resets), banking and financial services, social media with payment methods, and anything with stored personal or medical information.
Systematic Remediation
Work through weak or breached passwords systematically — don't try to fix everything at once. Generate a new random password for each affected account, save it in your password manager, and enable 2FA where supported.
A password audit is the most impactful single security action most people can take. Set aside an afternoon, use your manager's audit tools, and methodically replace every weak or reused credential.