Skip to main content
Back to all posts

Digital Hygiene: A Cleaning Checklist for Your Online Life

โ€ขSnapSend Team

Every account you've ever created, every app you've granted a permission, and every device still logged into your email is part of your attack surface. It doesn't matter that you forgot about the fitness app from 2019 โ€” an attacker who breaches it hasn't. Digital hygiene is the boring, unglamorous work of shrinking that surface so a breach somewhere else doesn't become a breach of you.

Think of it like closing tabs. You don't need to overhaul your life. You need a repeatable routine โ€” call it 30 to 45 minutes a quarter โ€” that clears the clutter before it becomes a liability. Here's the checklist we actually run.

1. Kill dormant accounts

Dead accounts are the worst kind of exposure: they hold your data, share a password with accounts you do care about, and get zero attention when the breach notification lands.

  • Search your password manager (or your email for "welcome to" and "verify your account") to build a list of everything you've signed up for.
  • For each one you no longer use, find the deletion flow. Sites like JustDeleteMe catalog the direct links and flag services that make it deliberately hard.
  • Actually delete, don't just "deactivate." Deactivation usually keeps your data warm on their servers. Deletion โ€” where GDPR/CCPA give you the right โ€” removes it.

A useful mindset shift: your data is safest in accounts that don't exist. Every login you retire is one fewer breach that can ever touch you.

2. Audit app and OAuth permissions

Two different permission problems, both worth ten minutes.

Device permissions. On your phone, walk the privacy settings for Location, Microphone, Camera, Contacts, and Photos. A flashlight or calculator app requesting your location or contacts is a red flag, not a feature. Switch location-hungry apps to "While Using" or "Ask Next Time." On desktop, do the same pass on browser extensions โ€” an extension that "reads and changes all data on all websites" can see everything you type, including passwords.

OAuth / "Sign in with" grants. This is the one people forget. Every time you clicked Continue with Google or Sign in with Apple, you handed a third party standing access to your account. Go to your Google, Apple, Microsoft, and GitHub security pages and open "Connected apps" or "Third-party access." Revoke anything you don't recognize or haven't used in a year. A revoked grant can't be abused if that third party gets breached.

3. Fix your password layer

If you're still reusing passwords, nothing else on this list matters as much. Credential stuffing โ€” attackers taking a username/password leaked from one site and trying it everywhere โ€” is the single most common way ordinary accounts get taken over, and it only works because passwords get reused.

  • Adopt a password manager if you haven't. This is the highest-leverage security decision most people can make; we make the full case in why you need a password manager.
  • Run its built-in audit. It'll flag reused, weak, and known-breached passwords. Fix the reused ones first, starting with email and banking.
  • Generate unique, long, random passwords going forward. If you need one right now without opening an app, our password generator runs entirely in your browser โ€” nothing you generate is ever sent to a server.

Don't try to rotate all 200 at once; you'll burn out. Fix the critical accounts this quarter, the rest next quarter.

4. Turn on 2FA where it counts

A stolen password is far less useful when a second factor stands behind it. Prioritize: email first (it's the reset lever for everything else), then financial accounts, then anything with your payment details stored.

Prefer an authenticator app (TOTP) or a hardware key over SMS. SMS codes can be phished or intercepted via SIM-swap, but SMS 2FA still beats no 2FA โ€” don't let "not perfect" stop you from turning it on. We go deeper on the tradeoffs in why 2FA matters.

5. Patch everything

Most successful attacks exploit holes that were fixed months ago in updates people never installed. Updates aren't just new emoji โ€” they're security patches.

  • Turn on automatic updates for your OS, browser, and phone. This removes the decision entirely.
  • Don't forget the quiet stuff: your router's firmware, your NAS, smart-home hubs, and IoT devices. These rarely auto-update and are common footholds. If a device hasn't received a firmware update in years, treat it as untrusted and segment it onto a guest network.

6. Prune active sessions and devices

Your accounts remember every browser and device you've ever logged in from โ€” including that hotel lobby PC and the old phone you sold. In your Google, Apple, Facebook, and bank security settings, open "Your devices" or "Where you're logged in" and sign out everything you don't currently recognize or own. It takes two minutes and instantly evicts anyone riding an old session.

7. Clean up how you share sensitive data

Hygiene isn't only about what you store โ€” it's about what you leave lying around in other people's inboxes and chat histories. A password pasted into Slack or a contract emailed as an attachment lives forever on servers you don't control, searchable and un-deletable.

The fix is to default to ephemeral, one-time-read sharing for anything sensitive. Instead of pasting a credential, send a self-destructing link that decrypts once and then no longer exists. Instead of emailing a tax document, use a secure file share with a hard expiry so it can't resurface in a breach two years from now. The goal is the same as deleting dormant accounts: minimize the copies of your data that outlive their purpose.

8. Check what you're already leaking

Before you close the laptop, it's worth seeing your exposure from the outside. Our privacy check shows, in your browser, exactly what a website learns about you the instant you visit โ€” your IP and rough location, your device fingerprint, fonts, timezone, and more. It's a fast reality check on how identifiable you are, and it runs client-side without storing anything.

Common mistakes

  • Doing it once and never again. Hygiene is a habit, not a project. Put a recurring 30-minute block on your calendar every quarter.
  • Deactivating instead of deleting. Deactivated accounts still hold your data.
  • Boiling the ocean. Trying to fix 200 passwords in one sitting guarantees you quit. Triage by blast radius.
  • Forgetting the boring devices. Routers, printers, and IoT gadgets are the ones attackers count on you ignoring.

The 30-minute checklist

  • [ ] Delete 3โ€“5 dormant accounts
  • [ ] Revoke unused OAuth and extension permissions
  • [ ] Fix reused passwords on critical accounts
  • [ ] Enable app-based 2FA on email and banking
  • [ ] Confirm auto-updates are on everywhere
  • [ ] Sign out unrecognized sessions and devices
  • [ ] Switch sensitive sharing to expiring, one-time links

FAQ

How often should I do this? Quarterly is a sane cadence. If that feels like a lot, twice a year still beats never.

Where do I start if I'm overwhelmed? Your email account. It's the reset key to your entire digital life โ€” unique password plus 2FA there first, everything else after.

Does deleting old accounts really help? Yes. Data that doesn't exist can't be breached, sold, or credential-stuffed. It's the cheapest security win available.


Want a two-minute snapshot of how exposed you are right now? Run the privacy check โ€” it shows what any site can see about your device the moment you land, entirely in your browser, with nothing stored. It's a good baseline before you start cleaning.