Citadel / Controls / SensitiveFiles

SensitiveFiles Control

What does this control check?

The SensitiveFiles control scans your Downloads folder for files that may contain sensitive credentials, such as password lists, backup codes, recovery codes, and emergency kits (like 1Password Emergency Kits). These files should not be stored in plaintext on your computer.

Important: Your Downloads folder is one of the least secure places on your computer. Many applications have access to it, it's often not backed up securely, and malware specifically targets this folder. Recovery codes and emergency kits are as good as passwords - if someone finds your 1Password Emergency Kit or backup codes in your Downloads folder, they can use them to gain complete access to your accounts, even if you have strong passwords and two-factor authentication enabled.

Why is this important?

🎯

High-Value Targets

Backup codes, recovery codes, and emergency kits are specifically designed to bypass normal security measures. If stolen, they give attackers complete access to your accounts.

📂

Exposed Location

The Downloads folder is easily accessible to malware, backup systems, and anyone who gains access to your computer. It's the first place attackers look for valuable information.

🔐

Bypassing 2FA

Recovery and backup codes are specifically designed to work when you've lost access to your two-factor authentication. Stolen codes completely bypass this security layer.

How to fix this

Securing Sensitive Files on Windows

Step 1: Locate the sensitive files

  1. Open File Explorer
  2. Navigate to your Downloads folder
  3. Look for files with names containing:
    • "password", "emergency kit", or "backup codes"
    • "recovery codes" or "2fa codes"
    • 1Password Emergency Kit PDFs
    • Any files containing lists of codes or credentials

Step 2: Store codes securely

  1. For password manager emergency kits (1Password, Bitwarden, etc.):
    • Print the emergency kit and store it in a physically secure location (safe, locked drawer)
    • OR save it to an encrypted USB drive stored securely
    • Never leave it in Downloads or on your Desktop
  2. For backup/recovery codes (GitHub, Google, etc.):
    • Store them in your password manager (1Password, Bitwarden, etc.)
    • OR print them and store physically in a secure location

Step 3: Securely delete the files

  1. Select the sensitive file(s) in Downloads
  2. Press Shift + Delete to permanently delete (bypassing Recycle Bin)
  3. Click Yes to confirm permanent deletion
  4. Empty your Recycle Bin if you deleted without Shift key
⚠️ Important notes:
  • Make sure you've stored the codes securely before deleting them
  • Never store recovery codes in regular documents or notes apps
  • If you're unsure what a file is, ask IT support before deleting
  • Consider using a password manager to securely store all backup codes

Securing Sensitive Files on macOS

Step 1: Locate the sensitive files

  1. Open Finder
  2. Click on Downloads in the sidebar
  3. Look for files with names containing:
    • "password", "emergency kit", or "backup codes"
    • "recovery codes" or "2fa codes"
    • 1Password Emergency Kit PDFs
    • Any files containing lists of codes or credentials

Step 2: Store codes securely

  1. For password manager emergency kits (1Password, Bitwarden, etc.):
    • Print the emergency kit and store it in a physically secure location (safe, locked drawer)
    • OR save it to an encrypted disk image stored securely
    • Never leave it in Downloads or on your Desktop
  2. For backup/recovery codes (GitHub, Google, etc.):
    • Store them in your password manager (1Password, Bitwarden, etc.)
    • OR print them and store physically in a secure location

Step 3: Securely delete the files

  1. Select the sensitive file(s) in Downloads
  2. Press Command + Delete to move to Trash
  3. Open Finder and select Empty Trash from the Finder menu
  4. OR press Command + Shift + Delete to empty trash immediately
  5. Click Empty Trash to confirm
For secure deletion: Hold Command + Option while emptying Trash to securely erase files (prevents recovery).
⚠️ Important notes:
  • Make sure you've stored the codes securely before deleting them
  • Never store recovery codes in regular Notes or TextEdit documents
  • If you're unsure what a file is, ask IT support before deleting
  • Consider using a password manager to securely store all backup codes

Verifying the fix

After securing and deleting sensitive files, Citadel will automatically verify this control during its next check.

To verify your Downloads folder is clean:

  1. Open File Explorer and go to Downloads
  2. Search for files containing "password", "recovery", "backup", or "emergency"
  3. Use the search box in the top-right: *password* or *recovery*
  4. No sensitive files should appear in the results

To verify your Downloads folder is clean:

  1. Open Finder and navigate to Downloads
  2. Press Command + F to search
  3. Search for files containing "password", "recovery", "backup", or "emergency"
  4. Set the search scope to "Downloads"
  5. No sensitive files should appear in the results