Freelance security starts with a blunt question: which accounts would stop your business if you lost them tonight?
For most freelancers, the answer is not one app. It is a chain: primary email, password manager, client workspaces, cloud storage, invoice and payment accounts, code or design tools, domain registrar, hosting, and backups. If one link fails, you can lose access to client work, invoices, project history, or the account that proves you own the business.
This checklist is written for solo freelancers and developer-consultants who need a practical baseline, not an enterprise security program.
The short version
If you only have 30 minutes, do not try to secure every account you own. Start with the accounts that can stop paid work: primary email, password manager, domain registrar, cloud storage, payment tools, and client workspaces.
The practical baseline is simple: use unique passwords, turn on MFA for critical accounts, save backup codes before you sign out of anything, and write down how you would recover email, domain, password manager, and client files if your laptop or phone disappeared. Device hygiene matters too, but it comes after you understand which accounts keep the business running.
Who this is for
This guide is for freelancers who manage their own devices, accounts, and recovery paths. It is especially relevant if you use the same laptop for personal and client work, have access to client systems, invoice through online tools, rely on one main email account, or own a domain, website, portfolio, or client-facing brand.
If you are part of a larger company with managed devices and central identity, some of this still applies, but your organization may already have stricter rules.
1. Build your business-critical account list
Before changing settings, make a simple account inventory. Do not overcomplicate it. A spreadsheet, markdown note, or printed worksheet is enough.
Start with the obvious business systems: primary email, password manager, domain registrar, DNS provider, website hosting, cloud storage, code or design tools, client communication accounts, invoicing, payment, banking, tax accounts, backup storage, and any phone account used for recovery.
Mark any account that can reset another account as critical. Your primary email is almost always critical. So is your password manager. If you own a domain, your registrar can also be critical because it can affect your website, email routing, and brand.
For example, your account list might look like this:
| Priority | Accounts | Why they matter |
|---|---|---|
| Critical | Primary email, password manager, domain registrar, cloud storage | These accounts can recover, redirect, or expose other accounts. |
| High | GitHub, client Slack/Teams, invoicing, payment processor | Losing access can block work, delivery, communication, or payment. |
| Normal | Newsletter tools, learning accounts, low-impact SaaS trials | These still need unique passwords, but they should not distract from critical accounts. |
The point is to avoid spending an hour securing a low-impact tool while your primary email still has weak recovery.
2. Secure the recovery chain first
Security advice often says “turn on MFA everywhere.” That is good advice, but for solo freelancers it is incomplete. If MFA is added before recovery is understood, you can lock yourself out of the accounts that let you work.
For critical accounts, confirm that recovery email addresses and phone numbers are current, download or print backup codes, remove abandoned recovery methods, and document where the recovery material is stored. Then test sign-in from a trusted device before you sign out everywhere or replace an authenticator.
Do this before signing out of all sessions or replacing an authenticator device.
If you need a deeper recovery workflow, see the solo founder account recovery plan and the guide on where to store backup codes and recovery keys.
3. Use a password manager deliberately
Unique passwords are not optional once client accounts, payment tools, and cloud storage are involved. A password manager is usually the most practical way to manage that.
For a freelancer, the important question is not only “which password manager is best?” The more useful question is whether your setup separates personal and business records, labels client credentials clearly, can be recovered if your laptop dies, supports export if you need to move later, and lets you share credentials without sending secrets through chat. You also need a separate answer for where the password manager’s own recovery material lives.
Avoid one giant unsorted browser password store that mixes banking, personal accounts, client credentials, and throwaway logins. Even if you keep one password manager account, use folders, collections, or labels to separate work from personal life.
4. Turn on MFA in the right order
Start with the accounts that control recovery and business continuity:
- primary email
- password manager
- domain registrar
- cloud storage
- GitHub, GitLab, or other work delivery accounts
- payment and invoicing accounts
- client workspaces
Prefer phishing-resistant options such as passkeys or hardware security keys when supported, but keep the recovery path clear. If an account supports only SMS, use it if it is the best available option, but do not treat it as equivalent to stronger MFA.
Before turning on MFA for a critical account, save backup codes and understand how you would recover access if your phone disappeared. The MFA lockout guide covers this in more detail.
5. Separate client access from personal access
Client access should not be treated like a personal login. Use named accounts instead of shared credentials when the client supports it, label client records clearly in your password manager, and remove access when a project ends. Avoid storing client secrets in plain text notes, screenshots, random local folders, or chat messages.
If a client gives you a shared admin credential, document that it is shared and push for a better access model when possible.
6. Protect the devices you work from
A clean account setup is weaker if the device is easy to compromise. At minimum, use full-disk encryption, keep the operating system updated, set a strong device password or biometric unlock, require lock on sleep, remove browser extensions you do not trust, separate work browser profiles when useful, and make sure important files are backed up.
For developer-consultants, also check SSH keys, API tokens, .env files, and local project folders. Do not leave client secrets scattered across old repositories and downloads.
7. Write a one-page recovery note
Create a short note you could use if your laptop, phone, or primary email stopped working. It should explain where backup codes are stored, which account recovers your password manager, who controls your domain and DNS, where client files are backed up, how to reach important clients if your main inbox is unavailable, which devices can still access critical accounts, and what to do first if the phone with MFA is lost.
Do not put raw passwords in this note. This is a map, not a vault.
Common mistakes
The most common mistake is spending energy on low-impact accounts while primary email remains weak. If your main inbox can reset your domain, password manager, payment tools, and client workspaces, it deserves attention before minor SaaS accounts.
Another common failure is enabling MFA without saving backup codes. MFA is useful, but it should not turn one lost phone into a business outage. Password manager recovery material also needs special care; if the only copy of the recovery key is inside the password manager, it may not help when the vault itself is the problem.
Freelancers also tend to blur personal and client access. One browser profile, one unsorted password vault, and old client credentials all create avoidable risk. Keep client records labelled, remove access when projects end, and do not assume a cloud sync folder is the same as a real backup.
Good next step
Start with three accounts: primary email, password manager, and domain registrar. If those are secure and recoverable, every other improvement becomes easier.
Then read:
- Solo Founder Account Recovery Plan
- How To Avoid Account Lockout When Using MFA
- Domain Registrar Security Checklist