Skip to content

A Mindful Habit for Maintaining Online Accounts

Free trials pile up. Side projects die. Shopping sites you used once still have your card on file. After a few years, you end up with a lot of accounts you don't remember creating and even less confidence in how they're secured.

Most online accounts don't disappear just because you stop using them. They can still hold your data, old passwords or recovery factors, and sometimes your payment details. Every forgotten login is another door you left unlocked.

  • Breach Exposure: forgotten accounts often still have weak or reused passwords, and many either don't support MFA or have it available but not enabled.
  • Privacy Leakage: abandoned accounts can keep personal data, billing details, and usage history long after you stop using the service.
  • Recovery Pain: if one gets hijacked, recovery can fail fast when the old email address, phone number, or other method is no longer yours.

Before deleting any account, confirm you no longer need access to purchased content, invoices, or exported data from that service.

Regular audits aren't exactly fun, but they keep your account footprint smaller and easier to defend.

I used to clean this up in occasional panic sessions. It never stuck. But what finally worked was a simple lifecycle: inventory, classify, decommission, and monitor.

Build an Account Inventory

Start with Your Source of Truth

I keep all account credentials in 1Password. One source of truth is what makes this repeatable.

Use One Password Manager as Your Source of Truth

If you have more than one manager enabled, such as 1Password and Apple Passwords, choose one as your primary vault before cleanup. Running both in parallel creates duplicate entries, stale credentials, and autofill conflicts.

Disable autofill in the manager you are not using day to day, migrate anything important into your primary vault, then archive or remove duplicates so security checks happen in one place.

  • Run built-in security checks (for example, Watchtower in 1Password), then treat compromised credentials as high priority incidents.
  • Filter for entries not used in the last 12 months.
  • Apply simple lifecycle tags:
    • Active: used regularly.
    • Legacy: rarely used but still required.
    • Deprecated: candidates for deletion.

Run a High-Frequency Security Pass

The yearly pass handles lifecycle decisions. Security checks happen more often.

Each week, I run a short hardening pass:

  • Compromised Passwords: rotate these first, no exceptions.
  • Reused Passwords: replace with unique generated passwords.
  • Weak Passwords: upgrade old credentials that no longer meet your standards.
  • MFA/2FA Now Available: enable it on services that added support since your last review.
  • Passkeys Now Supported: migrate high-value accounts from password-only auth where possible.

Done weekly, this takes a few minutes and catches risk before it piles up.

A Practical Cadence

Weekly: compromised, reused, weak credentials. Monthly: check which services now support MFA or passkeys.

Discover Account Sprawl Outside the Password Vault

Not every account lands in your password vault the first time. Find the strays:

  • Search email for onboarding and authentication phrases like "welcome", "verify your email", and "reset password".
  • Check browser-saved passwords for orphaned credentials.
  • Review statements for recurring charges tied to old services.

Review Federated Sign-ins and Connected Apps

Some accounts never appear as standalone logins in your password vault because they're linked through identity providers like Apple ID, Google, or GitHub (for example, Sign in with Apple or other OAuth-based sign-in flows).

Keep a list of these linked services and review it regularly. This is where risk and spend hide. Old connected apps can retain access long after you stop using them, and services tied to federated sign-ins can keep charging in the background.

On a recurring schedule, review connected-app permissions and subscriptions, then revoke or remove anything you no longer use.

Import anything relevant into your password vault, then classify it so nothing sits outside your system of record.

Decommission Accounts Safely

Delete Where Possible

For each Deprecated account:

  • Sign in and locate account closure or data deletion settings.
  • Check official support docs for exact deletion flow.
  • Use JustDeleteMe to quickly find deletion links and friction notes.

Handle Services that Resist Deletion

Some services make deletion harder than it needs to be.

  • Cancel subscriptions first and remove stored payment methods where the service allows it, or open a support ticket when self-service removal is blocked.
  • Submit a formal deletion request when self-service isn't available.
  • Keep evidence (ticket numbers or screenshots) in case of compliance disputes.

Reduce Risk When Deletion is Impossible

If a service only allows deactivation, reduce the damage it can do:

  • Replace profile data with minimal placeholder values when allowed.
  • Remove connected OAuth apps and third-party integrations.
  • Rotate recovery addresses to dedicated aliases you control.
  • Set a long unique password and save it in your vault so the account can't be easily reused.

Note

If you use email aliases, keep a simple mapping in your password vault notes so future-you knows which alias belongs to which service.

Protect Your Identity Foundation

Some accounts are foundational. You don't remove them; at a minimum you harden them:

  • Primary Email Accounts: these are the root of trust for password resets.
  • Financial Systems: banks, tax portals, and payment processors should be retained and tightly secured.
  • Professional Identity: GitHub, LinkedIn, and other career artifacts should be accurate, protected, and monitored.

For core accounts, I my minimum baseline included:

  • Unique password generated and stored in 1Password.
  • MFA enabled, preferably app-based or hardware-backed (e.g. YubiKey).
  • Passkey enabled where supported.
  • Recovery email and recovery phone verified.
  • Backup codes securely stored.

Automate the Maintenance Loop

Manual cleanup can be a drag. Use automation where possible.

  • Use continuous password vault monitoring for breach and weak-password alerts.
  • Unsubscribe from low-value mailing lists in bulk.
  • Consider DeleteMe or similar services for data broker opt-outs, not direct account deletion. They're useful after account cleanup, not a substitute for it.

I also keep a small Review tag in 1Password for accounts that need follow-up. When I have ten minutes, I open that list and clear one item.

My New Year's Ritual

Every year around New Year's, I run this process end-to-end. It started as a one-time cleanup and turned into a reset ritual: part security review, part digital declutter.

In practice, I do it in three passes:

  • Pass 1 (Inventory): walk through every account I can find and tag it Active, Legacy, or Deprecated.
  • Pass 2 (Action): review the Deprecated list to cancel subscriptions, delete accounts, and document anything that needs follow-up.
  • Pass 3 (Hardening): review high-value Active accounts and ensure MFA, passkeys, recovery details, and backup codes are all current.

Tip

If the full cleanup feels heavy, finish pass 1 and complete one account from pass 2.

Momentum matters more than perfection.

Even with automation, keep a recurring quarterly review. Small, regular maintenance beats annual panic every time.

Annual inventory plus weekly Watchtower checks keep stale accounts from turning into quiet breach risk. The goal isn't a spotless internet footprint. The goal is fewer unmanaged logins and a password vault you still trust when something goes wrong.

References