You Get a Health Checkup. Your Digital Life Needs One Too.

Once a year, I want people to do the security version of a health checkup.

Not a dramatic lockdown.

Not a paranoid weekend where every account gets changed and nobody remembers what happened.

One scheduled review. Same month every year. Put it on the calendar next to taxes, insurance, physicals, or whatever other adult maintenance task you already avoid.

The point is simple: your life changes, but your security setup does not update itself.

You move. You change phones. You open accounts. You close accounts. You get married. You have kids. A parent gets older. A beneficiary form becomes stale. A backup key lives in the wrong country. A trusted person is no longer the right person. A service changes its recovery settings.

None of that feels urgent until it is.

The annual checkup is not only cybersecurity

When people hear “security review,” they think passwords and hackers.

That is too small.

A real personal security checkup includes access, recovery, family continuity, important documents, beneficiaries, devices, backups, and emergency instructions.

Can your spouse, sibling, parent, executor, or trusted person function if you cannot help?

Can they pay the bills?

Can they reach the password manager?

Can they find the insurance policy?

Can they identify the accounts that matter?

Can they recover family photos?

Can they avoid moving digital assets in a panic?

That is the actual test.

Start with the account list

Make a list of important accounts.

Not every account. Important ones.

• Email.
• Password manager.
• Banking.
• Credit cards.
• Brokerage.
• Retirement accounts.
• Tax filing.
• Apple, Google, Microsoft.
• Domain registrar.
• Cloud storage.
• Phone carrier.
• Insurance.
• Crypto exchanges, if any.
• Hardware wallet or self-custody notes, if any.

For each one, answer:

• Who owns it?
• How do I log in?
• Is MFA enabled?
• What is the recovery path?
• Who needs to know this account exists?
• What happens if I die or cannot respond?

This is not fun. That is fine.

Most useful maintenance is not fun.

Update beneficiaries and trusted contacts

Beneficiaries are where old life events hide.

Retirement accounts, brokerage accounts, life insurance, bank accounts, and some workplace benefits can all have beneficiary settings. People set them once and forget them. Then life moves.

Annual checkup means looking again.

Is the beneficiary still correct?

Is the contingent beneficiary still correct?

Does the name match current legal documents?

Did a marriage, divorce, death, move, or new child change the plan?

Do the people named know enough to act?

I am not a lawyer, and this is not estate planning advice. It is a reminder that stale beneficiary settings can outrank what people assume will happen.

If the account has a trusted contact, legacy contact, inactive account manager, or emergency access feature, review that too.

The tool does not help if you never set it up.

Test the recovery paths

This is where the checkup becomes real.

Pick a few critical recovery paths and test them.

Password manager:

• Is the emergency kit printed or otherwise reachable?
• Is the master password known only in the right way?
• Are backup codes stored somewhere sane?
• Is the backup hardware key enrolled and tested?

Email:

• Is MFA enabled?
• Is the recovery email still yours?
• Is the recovery phone number current?
• Is the email account itself recoverable if your phone is lost?

Devices:

• Is full-disk encryption on?
• Are old devices wiped or accounted for?
• Is the phone passcode known to the person who would need it, if that is part of your plan?

Backups:

• Restore one photo.
• Restore one document.
• Open the encrypted backup.
• Confirm offsite backup still runs.

Digital assets:

• Confirm the written procedure still matches the actual wallet setup.
• Verify hardware devices are present.
• Verify seed/passphrase recovery path with a safe dry run.
• Confirm nobody has to guess under stress.

The checkup is not done until at least one restore or recovery test happens.

NIST’s small-business guidance says to require MFA where available, use password managers, regularly back up data, and test backups. That language is aimed at organizations, but the shape applies to households too. Identify what matters. Protect it. Test recovery.

Clean up what you no longer use

Old accounts are quiet risk.

Every unused account is another place where your email, phone number, address, password history, or payment method might sit.

During the annual checkup, close what you can.

Remove saved cards from accounts you do not use.

Delete old OAuth app connections.

Remove devices you no longer own.

Rotate passwords for accounts that matter and have not been touched in years.

Turn off SMS 2FA where authenticator apps or security keys are available.

The FTC points out the basic reason MFA matters: passwords are vulnerable to phishing, breaches, reuse, and guessing. I would add the practical layer: old accounts make that problem bigger.

You do not need to become a different person. Just reduce the junk drawer.

Write the handoff note

At the end, write one page.

Not a full binder. One page.

It should tell a trusted person:

• Where the password manager recovery instructions are.
• Where important documents live.
• Which accounts matter most.
• Who to contact before moving digital assets.
• Where the latest account list is.
• What not to do in a panic.

Do not put secrets in the wrong place. Do not create a new single point of failure. But do make the existence and location of the recovery path clear enough that someone is not starting from zero.

The widow story from my security post is the reason I care about this. A friend of the family lost her husband and spent months proving she was allowed to access her own family’s money. She did not know the passwords. The system did not make grief easier.

That is what the checkup is trying to prevent.

My annual checklist

If I had to compress it:

1. Review important accounts.
2. Confirm MFA and recovery methods.
3. Test password manager recovery.
4. Test one backup restore.
5. Review beneficiaries and legacy contacts.
6. Confirm hardware keys and backup keys.
7. Confirm device encryption and old-device cleanup.
8. Review self-custody instructions, if any.
9. Update the trusted-person handoff note.
10. Record the date and next review.

One hour if the setup is clean.

Half a day if you have never done it.

That is still cheaper than trying to reconstruct a life through customer support after something happens.

Health checkups are not exciting either.

You do them because catching the quiet thing early is better than discovering it after it becomes loud.

Sources

• NIST CSF 2.0 Small Business Quick-Start Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf
• FTC two-factor authentication guidance: https://consumer.ftc.gov/articles/use-two-factor-authentication-protect-your-accounts
• Ready.gov financial preparedness: https://www.ready.gov/financial-preparedness
• Related post: The 5 Digital Security Mistakes I See Every Week