1. Do you reuse passwords across 3+ important accounts?

Yes No / Not sure

If you reuse, one leak compromises all. Fix with a password manager.

2. Are any of your emails in a public breach (check HIBP)?

Yes No / Not sure

If yes, attackers have your credentials to try against other sites.

3. Is MFA enabled on your email, bank, and password manager?

Yes No / Not sure

MFA defeats credential stuffing — enable it everywhere.

4. Do you change leaked passwords within 48 hours of breach news?

Yes No / Not sure

Rapid rotation kills the credential-stuffing window.

5. Are your oldest account passwords 14+ characters?

Yes No / Not sure

Short old passwords are brute-forceable offline.

6. Do you have login alerts enabled (email on new device)?

Yes No / Not sure

First line of defense after a credential-stuff attempt.

7. Have you rotated passwords exposed in a breach in the last year?

Yes No / Not sure

If you saw a HIBP notification, did you act on it?

8. Do you keep track of which password was used where?

Yes No / Not sure

You cannot rotate what you cannot find.

9. Is your primary email on the free-email-provider allowlist for your bank (Gmail, Outlook)?

Yes No / Not sure

Self-hosted / obscure providers sometimes have weaker security.

10. Is your password manager's master password unique?

Yes No / Not sure

Master password reuse is the single biggest vulnerability.

Credential Stuffing Risk Checker