I used to think my Google account was safe just because I had a decent password on it. Then I ran a google security checkup account audit after a friend’s Gmail got hijacked through an old app she’d forgotten she’d granted access to, and I found three sign-ins I didn’t recognize sitting in my own account for months.
The real risk isn’t a weak password — it’s the forgotten access you granted years ago and never revoked. A Google Security Checkup takes about 10 minutes and closes those gaps before someone else finds them first.
Quick Answer
Open myaccount.google.com/security-checkup, review recent sign-in activity, check connected devices, remove third-party apps you no longer use, confirm 2-Step Verification is on, and run the built-in Password Checkup. It takes about 10 minutes, and doing it twice a year catches most account compromises before real damage happens.
What Is the Google Security Checkup?
The Security Checkup is a free tool built into every Google account. It walks through five areas: recent security activity, signed-in devices, 2-Step Verification, third-party app access, and saved password health.
Why I Run It Every Few Months
I treat it like checking smoke detector batteries — nothing feels urgent until the one time it is. Accounts get compromised quietly, through an old app permission or a session on a device you sold.
The checkup exists to surface access you granted and forgot about, not to scan for malware.
How Do I Start My Google Security Checkup?
Step 1: Open the Tool
Go to myaccount.google.com/security-checkup and sign in. Google may ask you to re-enter your password since this page touches sensitive settings.
Step 2: Work Through Each Card Top to Bottom
Google presents the checkup as a stack of cards. Don’t skip to the end — skimming past “Recent security activity” is exactly how old sign-ins go unnoticed.
Starting the checkup takes one click; the value comes from reading every card instead of clicking through it.
What Should I Check in Recent Security Activity?
Look for Unfamiliar Locations or Devices
This card lists sign-ins, password changes, and recovery info updates from the last 28 days. When I ran mine last month, it flagged a Chrome sign-in from a city I’d never visited — it turned out to be a VPN test session I’d run myself, but the checkup caught it in under a minute.
Step 3: Secure the Account If Anything Looks Wrong
If you see activity you don’t recognize, click “Secure your account,” change your password, and sign out of all other sessions.
Recent activity is your earliest warning sign — check it first, before the other cards.
How Do I Review Devices Signed Into My Account?
Step 4: Open “Your Devices”
This shows every phone, tablet, and computer signed into your Google account, with last-active dates. Old laptops you sold or phones you traded in often linger here for years.
Step 5: Sign Out Devices You Don’t Own Anymore
Click any unfamiliar or old device, then choose “Sign out.” This kills that device’s access immediately.
A device list only protects you if you actually remove the ones you no longer use.
Which Third-Party Apps Should I Remove?
The table below shows what each part of the checkup catches, so you know where to spend your 10 minutes.
| Checkup Section | What It Shows | Why It Matters |
|---|---|---|
| Recent security activity | Sign-ins, password changes (28 days) | Earliest sign of unauthorized access |
| Your devices | Every device currently signed in | Old or sold devices keep access otherwise |
| 2-Step Verification | Whether a second factor is active | Blocks logins even if your password leaks |
| Third-party access | Apps and sites connected to your account | Unused apps are a common breach vector |
| Password Checkup | Reused or leaked saved passwords | Flags credentials exposed in past breaches |
Step 6: Revoke Anything You Don’t Recognize or Use
Under “Third-party access,” click any app you haven’t used in the last year and select “Remove access.” I found a resume-builder site from three years ago still holding full Google Drive access — gone in two clicks.
Pro tip: sort mentally by permission scope, not app name — an app with “full account access” you barely use is riskier than a frequently used app with read-only calendar access.
Third-party access is where forgotten permissions accumulate the fastest, so it deserves more than a glance.
How Do I Turn On 2-Step Verification and Fix Password Checkup Warnings?
Step 7: Confirm 2-Step Verification Is On
If it’s off, add a passkey or an authenticator app rather than SMS codes, which can be intercepted through SIM swapping. My guide on setting up a passkey covers this in under two minutes.
Step 8: Run Password Checkup
This scans your saved passwords against known data breaches and flags reused or weak ones. Replace flagged passwords one at a time, starting with anything tied to your primary email.
Troubleshooting tip: if Password Checkup spins indefinitely, sign out of all Google sessions on that browser and sign back in — a stale auth token is almost always the cause.
2-Step Verification stops most account takeovers outright, even when a password does leak.
Common Mistakes to Avoid
Running It Once and Never Again
New apps and devices connect constantly. Fix: set a recurring reminder every six months.
Using SMS as Your Only Second Factor
SMS codes are vulnerable to SIM swapping. Fix: switch to a passkey or authenticator app.
Ignoring App Warnings
Dismissing these without reading them leaves outdated integrations connected. Fix: click through and decide deliberately.
Reusing the Same Password Everywhere
One leaked site can compromise every account sharing that password. Fix: use a password manager to generate unique ones, as I outline in my two-factor authentication setup guide.
Forgetting Recovery Info
An outdated recovery phone or email locks you out when you need it most. Fix: verify both are current every checkup.
Frequently Asked Questions
How long does a Google Security Checkup actually take?
About 10 minutes if your account is in reasonable shape. My first real audit after years of neglect took closer to 25 minutes because I had a dozen old apps to revoke.
Does the Security Checkup cost anything?
No, it’s built into every free Google account with no premium tier required.
Will removing a third-party app delete my data in that app?
No, it only revokes that app’s access to your Google account; the app itself and its data stay intact. I removed an old fitness app’s Google access last year and still had my workout history inside that app.
What’s the difference between this and Password Checkup?
Password Checkup is one card inside the broader Security Checkup, focused only on saved password health. The full checkup also covers devices, activity, and app access.
Should I run this on every Google account I have?
Yes, especially old or secondary accounts. I found an abandoned account of mine still connected to a forgotten data-collection app, similar to what I cover in what Google actually collects about you.
Conclusion
A Google Security Checkup costs you 10 minutes and closes access gaps that build up silently over years. Open the checkup now, work through every card, and set a calendar reminder to repeat it in six months.