Lesson 6 12 min

Passwords & Old Accounts

Migrate to a password manager, find and close dormant online accounts, and build a security system that protects you without being a daily hassle.

You probably have about 100 online accounts. You can name maybe 20. The other 80 are scattered across forums, shopping sites, free trials, and services you used once in 2019. Each one is a potential entry point for hackers — especially if they share the same password. This lesson fixes that.

🔄 Quick Recall: In the previous lesson, you audited your apps and subscriptions — cutting unused services and saving money. Now you’ll go deeper: cleaning up the accounts behind those apps and building a password system that actually works.

Setting Up a Password Manager

A password manager stores unique, complex passwords for every site. You remember one master password; it handles the rest.

Recommended password managers:

Manager	Price	Best For
Bitwarden	Free / $10/year	Budget-friendly, open-source, full-featured
1Password	$3/month	Families, polished UI, Watchtower breach alerts
Apple Keychain	Free (Apple devices)	All-Apple households, seamless integration
Google Password Manager	Free (Chrome/Android)	Chrome-primary users

Migration Process

Help me plan my password manager migration:

Current situation:
- I reuse [number] passwords across [number] accounts
- I currently store passwords in: [browser, notes, memory, etc.]
- Devices: [list phones, computers, tablets]

Create a migration plan:
1. Which password manager is best for my setup?
2. How to import existing saved passwords (from browser, etc.)
3. Priority accounts to update first (banking, email, primary social)
4. How to generate and save new unique passwords
5. How to set up autofill on all my devices
6. Emergency access: what happens if I forget the master password?

Migration priority order:

Email accounts (these are the “master key” — password resets go here)
Financial accounts (banking, investment, payment services)
Social media (often targeted for identity theft)
Shopping accounts (stored payment information)
Everything else (update as you log into each site)

✅ Quick Check: Why should email accounts be updated first in a password migration? (Answer: Your email is the skeleton key to every other account. Whoever controls your email can reset the password on any account that uses it for recovery. If an attacker compromises your email, they can methodically take over banking, social media, shopping — everything. Secure email first, then everything else follows.)

Finding and Closing Dormant Accounts

Step 1: Find Your Accounts

Most people underestimate how many accounts they have. Here’s how to find them all.

Help me find all my online accounts:

Search my email for these keywords to find signup confirmations:
1. "Welcome to"
2. "Verify your email"
3. "Confirm your account"
4. "Thanks for signing up"
5. "Your account has been created"
6. "Password reset" (shows accounts I've had)

Also check:
- Browser saved passwords list (shows accounts I've logged into)
- Password manager import (if migrating from browser)
- Social login history (what did I sign in with Google/Facebook/Apple?)

Create a spreadsheet of all found accounts with:
- Account name
- Email used
- Last activity date
- Status: active / dormant / should delete

Step 2: Delete Dormant Accounts

Tools for account deletion:

JustDelete.me — Directory of account deletion links for 1,000+ services (color-coded by difficulty)
AccountKiller.com — Step-by-step deletion instructions
Google Takeout — Export your data before deleting Google-connected accounts
Privacy request — For EU residents, GDPR gives you the right to request data deletion

Before deleting any account:

Export any data you want to keep (photos, documents, purchase history)
Remove stored payment methods
Check if any other services use this account for login (social sign-in)
Delete/close the account
Remove the account from your password manager

✅ Quick Check: You find a dormant account on a small shopping site from 2020. It has your credit card stored. The site doesn’t have a “delete account” option. What do you do? (Answer: First, remove the stored credit card immediately. Then email their support requesting account deletion — under GDPR or CCPA you may have the legal right to this. Change the password to something random in the meantime. If they don’t respond, change the email on the account to a disposable email and ensure no payment methods remain.)

Enabling Two-Factor Authentication

For accounts you’re keeping, add a second layer of security.

2FA priority:

Email (most critical)
Banking and financial
Social media
Cloud storage
Shopping with stored payment

2FA methods (from strongest to weakest):

Method	Strength	Convenience
Hardware key (YubiKey)	Strongest	Must carry the key
Authenticator app (Google/Microsoft Authenticator)	Strong	Phone-based, works offline
Passkey (FIDO2)	Strong	Growing support, no password needed
SMS code	Moderate	Vulnerable to SIM swapping
Email code	Weakest 2FA	Better than nothing

Practice Exercise

Choose a password manager and install it on all your devices
Search your email for “welcome to” and list every account you find — you’ll be surprised
Update passwords for your top 5 most critical accounts (email, banking, primary social)
Delete at least 3 dormant accounts using JustDelete.me

Key Takeaways

Password reuse is the biggest security risk — one breach exposes every account sharing that password
A password manager makes unique passwords practical: you remember one master passphrase, it handles the rest
Migrate to a password manager in priority order: email first, then financial, social, shopping, everything else
Search your email for signup keywords to find dormant accounts you’ve forgotten about
Delete dormant accounts rather than just changing passwords — elimination is better than maintenance
Enable 2FA on all important accounts — an authenticator app is the best balance of security and convenience

Up Next

In the next lesson, you’ll take control of your notifications — reducing interruptions and building focus routines that let you use your devices on your terms.

Knowledge Check

1. You use the same password for 30+ websites. 'It's a strong password — 12 characters with symbols.' Is this secure?

Yes — a strong password is secure regardless of reuse No. One breach exposes all 30 accounts. If a data breach leaks your password from any one of those 30 sites — even a small, forgotten one — attackers use credential stuffing to try that same email+password combination on every major service (Gmail, banking, social media). A unique password per site means one breach affects one account. A shared password means one breach affects everything It's fine as long as you change it annually

2. You find 15 dormant accounts (sites you signed up for years ago and never use). Why should you bother deleting them?

It doesn't matter — they're not hurting anything just sitting there Every dormant account is a security vulnerability. Those old accounts likely have weak passwords (from before you improved your security), may still hold personal data (address, payment info, preferences), and if breached, expose your email and password to attackers. Deleting dormant accounts reduces your attack surface — fewer accounts means fewer opportunities for breach exposure Just change the passwords to something stronger

3. You're setting up a password manager. Which approach is best for the master password?

Use your strongest existing password — it's already complex Create a brand new passphrase: 4-6 random words that form a memorable but nonsensical phrase (e.g., 'correct-horse-battery-staple' pattern). This passphrase should be unique — never used anywhere else — and never stored digitally. Write it on paper and keep it in a physically secure location until you've memorized it. This is the ONE password you'll ever need to remember Use your fingerprint — no password needed

Answer all questions to check

Complete the quiz above first