How to Change All Your Passwords: A Complete Step-by-Step Guide

Changing all your passwords is a one-time project that takes 1-2 hours for most people. The process is systematic: work through accounts by priority, generate a new password for each, save it in a password manager, verify the login works, and move to the next. Below is the exact order to work through, the per-account process, and how to handle edge cases like accounts you cannot access or sites with broken password reset flows.

When You Should Change All Your Passwords

A full password audit is worth doing in any of these situations:

• You have been reusing passwords — if the same password appears across multiple accounts, a breach at any one of them threatens all of them
• You received a breach notification — if any service notifies you of a breach or you find your email in Have I Been Pwned, change passwords for any account that shared that password
• You are setting up a password manager for the first time — the setup session is the right time to migrate all accounts to unique generated passwords
• A device was lost or compromised — if a phone, laptop, or account credential was exposed, a full audit removes the uncertainty about what was accessed
• You are leaving a job — any accounts where work and personal access overlapped should get new passwords

You do not need to change all passwords on any regular schedule if they are already unique, generated, and stored in a manager. The goal of this project is to get to that state — after which ongoing maintenance is minimal.

Work Through Accounts in This Order

Do not start with the easiest accounts. Start with the accounts where a compromise does the most damage:

1. Primary email — the master key to all account recoveries. If an attacker controls this, they can reset every other password you own. Do this one first, and make it the strongest.
2. Secondary email accounts — any email address used as a recovery option for other accounts
3. Banking and financial — direct access to money; investment accounts, brokerage, retirement accounts
4. Cloud storage — Google Drive, iCloud, Dropbox, OneDrive contain personal and financial documents
5. Work accounts — email, VPN, SSO; anything with access to company data or systems
6. Social media — Instagram, TikTok, X, LinkedIn, Facebook — high impersonation and scam value
7. Shopping and retail — Amazon, eBay, any account with stored payment methods
8. Gaming and entertainment — Steam, Discord, Roblox, Netflix, Spotify
9. Everything else — forums, newsletters, older accounts you can find in your email inbox

If you run out of time or energy, stopping after the first four categories still covers the vast majority of real financial and identity risk.

Sell Custom Apparel — We Handle Printing & Free Shipping

The Per-Account Process (Under 2 Minutes Each)

Repeat this for every account in priority order:

1. Log in to the account — find the password change option (usually in Settings → Security or Account)
2. Open Hawk Password Generator in another tab
3. Set length to 20, enable all character types, click Generate
4. Copy the generated password
5. Paste it into the "new password" field on the account page
6. Save the password in your password manager immediately — before submitting the change form
7. Submit the password change
8. Log out and log back in to verify — confirm the new password works before moving on
9. Move to the next account

The verify-before-moving step is critical. A password change that did not save, or a copy-paste error, can lock you out of the account if you have already closed the tab and moved on. The 30 seconds to log out and back in catches this before it becomes a problem.

For accounts where you have forgotten the current password: use the "forgot password" flow to trigger a reset email to your (newly secured) primary email, then set the new generated password through the reset link.

After the Audit: Maintaining What You Built

Once all accounts have unique generated passwords stored in a manager, ongoing maintenance is minimal:

• New accounts — generate a password at signup, save immediately in the manager. Takes 30 seconds.
• Breach notifications — if a service notifies you of a breach, change only that account's password. One breach no longer cascades.
• No scheduled rotation — NIST no longer recommends periodic password changes without cause. Do not change passwords on a schedule; change them when you have reason to (breach notification, account compromise, device loss).
• Enable 2FA — as you go through each account, enable 2FA if the service supports it. Authenticator app codes are strongest; SMS is better than nothing.

Two follow-up tasks worth doing within a week of the audit:

1. Check your primary email address at haveibeenpwned.com — see which of your accounts have already been part of breaches. This may surface accounts you missed in the audit.
2. Review active sessions on your most important accounts (Google, Apple ID, Facebook, banking) — log out any sessions on devices you do not recognize.

Frequently Asked Questions

How long does it take to change all your passwords?

For most people with 50-100 accounts, 1-2 hours in a single session. Each account takes under 2 minutes with a generator and password manager in place. Working through the high-priority accounts (email, banking, cloud storage, social media) takes about 30-45 minutes and covers most of the real risk.

Do I need to change all my passwords at once?

No, but doing it in one session reduces the chance of missing accounts. If you split it across days, keep a running list of completed accounts so you know what remains. Prioritize by value — completing the top four categories (email, banking, cloud storage, work) in the first session captures the majority of actual risk even if you stop there.

What if I cannot remember the current password for an account?

Use the forgot password flow on that site to receive a reset email to your (already secured) primary email address. Click the reset link, set a new generated password, save it in your manager, and verify the login. This is normal — you will likely need to use account recovery for several older accounts during an audit.

After changing all my passwords, do I need to change them again regularly?

No — if passwords are unique, generated, and stored in a manager, periodic rotation is not recommended by NIST and serves no practical purpose. Only change a password when you have a specific reason: a breach notification for that service, a suspected compromise, or a device loss. The value of the audit is getting to a state where routine rotation is unnecessary.