Citadel / Controls / SensitiveFiles

SensitiveFiles Control

What does this control check?

The SensitiveFiles control scans your Downloads folder for files that may contain sensitive credentials, such as password lists, backup codes, recovery codes, and emergency kits (like 1Password Emergency Kits). These files should not be stored in plaintext on your computer.

Important: Your Downloads folder is one of the least secure places on your computer. Many applications have access to it, it's often not backed up securely, and malware specifically targets this folder. Recovery codes and emergency kits are as good as passwords - if someone finds your 1Password Emergency Kit or backup codes in your Downloads folder, they can use them to gain complete access to your accounts, even if you have strong passwords and two-factor authentication enabled.

Why is this important?

🎯

High-Value Targets

Backup codes, recovery codes, and emergency kits are specifically designed to bypass normal security measures. If stolen, they give attackers complete access to your accounts.

📂

Exposed Location

The Downloads folder is easily accessible to malware, backup systems, and anyone who gains access to your computer. It's the first place attackers look for valuable information.

🔐

Bypassing 2FA

Recovery and backup codes are specifically designed to work when you've lost access to your two-factor authentication. Stolen codes completely bypass this security layer.

How to fix this

Securing Sensitive Files on Windows

Step 1: Locate the sensitive files

  1. Open File Explorer
  2. Navigate to your Downloads folder
  3. Look for files with names containing:
    • "password", "emergency kit", or "backup codes"
    • "recovery codes" or "2fa codes"
    • 1Password Emergency Kit PDFs
    • Any files containing lists of codes or credentials

Step 1b: Show hidden files

Some sensitive files may be hidden — their names start with a dot (e.g. .passwords, .backup-codes). Windows hides these by default, but they are still fully accessible to malware and attackers. Being hidden provides no security. To reveal them:

  1. Open File Explorer and navigate to Downloads
  2. On Windows 11: click ViewShowHidden items
  3. On Windows 10: click the View tab and check Hidden items
  4. Hidden files will appear, slightly greyed out
  5. Check whether any of these hidden files contain sensitive credentials

Step 2: Store codes securely

  1. For password manager emergency kits (1Password, Bitwarden, etc.):
    • Print the emergency kit and store it in a physically secure location (safe, locked drawer)
    • OR save it to an encrypted USB drive stored securely
    • Never leave it in Downloads or on your Desktop
  2. For backup/recovery codes (GitHub, Google, etc.):
    • Store them in your password manager (1Password, Bitwarden, etc.)
    • OR print them and store physically in a secure location

Step 3: Securely delete the files

  1. Select the sensitive file(s) in Downloads — including any greyed-out hidden files
  2. Press Shift + Delete to permanently delete (bypassing Recycle Bin)
  3. Click Yes to confirm permanent deletion
  4. Empty your Recycle Bin if you deleted without the Shift key
⚠️ Important notes:
  • Make sure you've stored the codes securely before deleting them
  • Never store recovery codes in regular documents or notes apps
  • If you're unsure what a file is, ask IT support before deleting
  • Consider using a password manager to securely store all backup codes

Securing Sensitive Files on macOS

Step 1: Locate the sensitive files

  1. Open Finder
  2. Click on Downloads in the sidebar
  3. Look for files with names containing:
    • "password", "emergency kit", or "backup codes"
    • "recovery codes" or "2fa codes"
    • 1Password Emergency Kit PDFs
    • Any files containing lists of codes or credentials

Step 1b: Show hidden files

Some sensitive files may be hidden — their names start with a dot (e.g. .passwords, .backup-codes). macOS hides these from Finder by default, but they are still fully accessible to malware and attackers. Being hidden provides no security. To reveal them:

  1. Open Finder and navigate to your Downloads folder
  2. Press Command + Shift + . (period)
  3. Hidden files will appear, greyed out to indicate they are normally invisible
  4. Check whether any of these hidden files contain sensitive credentials
  5. Press the same shortcut again to hide them when you are done

Step 2: Store codes securely

  1. For password manager emergency kits (1Password, Bitwarden, etc.):
    • Print the emergency kit and store it in a physically secure location (safe, locked drawer)
    • OR save it to an encrypted disk image stored securely
    • Never leave it in Downloads or on your Desktop
  2. For backup/recovery codes (GitHub, Google, etc.):
    • Store them in your password manager (1Password, Bitwarden, etc.)
    • OR print them and store physically in a secure location

Step 3: Securely delete the files

  1. Select the sensitive file(s) in Downloads — including any greyed-out hidden files
  2. Press Command + Delete to move to Trash
  3. Open Finder and select Empty Trash from the Finder menu
  4. OR press Command + Shift + Delete to empty Trash immediately
  5. Click Empty Trash to confirm
For secure deletion: Hold Command + Option while emptying Trash to securely erase files (prevents recovery).
⚠️ Important notes:
  • Make sure you've stored the codes securely before deleting them
  • Never store recovery codes in regular Notes or TextEdit documents
  • If you're unsure what a file is, ask IT support before deleting
  • Consider using a password manager to securely store all backup codes

Verifying the fix

After securing and deleting sensitive files, Citadel will automatically verify this control during its next check.

To verify your Downloads folder is clean:

  1. Open File Explorer and go to Downloads
  2. If some of the identified files are hidden, show hidden files first:
    • Windows 11: View → Show → Hidden items
    • Windows 10: View tab → check Hidden items
  3. Search for files containing "password", "recovery", "backup", or "emergency"
  4. Use the search box in the top-right: *password* or *recovery*
  5. No sensitive files — visible or hidden — should appear in the results

To verify your Downloads folder is clean:

  1. Open Finder and navigate to Downloads
  2. Press Command + Shift + . to also show hidden dot-files
  3. Press Command + F to open search
  4. Search for files containing "password", "recovery", "backup", or "emergency"
  5. Set the search scope to "Downloads"
  6. No sensitive files — visible or hidden — should appear in the results
  7. Press Command + Shift + . again to hide dot-files when done

Tip: Right-click any greyed-out hidden file and select Get Info to understand what it is before deciding whether to delete it.