BlockMyself - Recovery Audit

The real bypass is often recovery

Filters fail when the daily user can recover the parent account, reset the passcode, find a backup code, or regain admin. Use this audit before handing control to a trusted person.

List every device, account, router, DNS provider, password manager, and blocker involved.
For each item, ask: "How would I undo this if I wanted to bypass tonight?"
Move that recovery path to the trusted person or remove it from your access.
Do not keep screenshots, printed copies, exported vaults, or backup codes unless they are controlled by the trusted person.
After handoff, run the account and reset sections of Test your setup.

Recovery inventory

Copy this into a note, spreadsheet, or the printable handoff worksheet.

Category	Look for	Move or clean up
Apple	Apple Account password, trusted phone numbers, recovery contact, Screen Time passcode recovery, iCloud Keychain, device passcode, Family Sharing organizer account.	Trusted person controls Screen Time passcode and Apple recovery paths used to reset it.
Google	Family Link parent account, recovery email, recovery phone, backup codes, Google Password Manager, secondary Google accounts, Chrome profiles.	Trusted person controls parent account credentials and recovery. Remove extra accounts from managed devices.
Microsoft	Family Safety organizer account, Microsoft account recovery, Windows Hello PIN, local admin accounts, BitLocker recovery keys.	Trusted person controls organizer and admin credentials. Recovery keys are stored off the daily account.
Router and DNS	Router admin password, ISP account, Wi-Fi mesh app, DNS dashboard, Pi-hole, AdGuard Home, NextDNS, OpenDNS, CleanBrowsing, Cloudflare account.	Trusted person owns the admin login and recovery email. Daily user should not have dashboard access.
Password managers	1Password emergency kit, Bitwarden recovery, iCloud Keychain, Chrome passwords, exported CSV files, shared vaults, browser autofill.	Remove blocker/admin credentials from your vault or move them to a trusted-person vault.
Local files	Notes, screenshots, photos, downloads, email attachments, printed pages, old text messages, cloud-drive docs.	Search and delete your copies after the trusted person has the required emergency information.
Device reset	Factory reset, Powerwash, recovery mode, external boot, BIOS/UEFI, macOS recovery, installer USB, MDM removal.	Use device management, account ownership, disk encryption, physical controls, and trusted-person recovery.
Third-party blockers	Admin dashboards, uninstall passwords, emergency bypass links, license account, support email, recovery codes.	Trusted person owns the account and recovery email. Daily user should not hold the bypass code.

Where to search for hidden recovery copies

Search terms

password, passcode, recovery, backup code, router, admin
Screen Time, Family Link, Family Safety, BitLocker, FileVault
NextDNS, OpenDNS, CleanBrowsing, AdGuard, Pi-hole

Places to check

Password manager, browser password manager, iCloud Keychain, Google Password Manager.
Notes, Photos, screenshots, downloads, desktop files, cloud drive, printed papers.
Email, messages, saved chats, old setup guides, router labels, ISP portal.
Backup drives, old phones, old laptops, exported password CSV files.

Apple audit

Identify who knows the Screen Time passcode.
Identify which Apple Account can reset or recover Screen Time settings.
Check whether that Apple Account password is saved in iCloud Keychain, Safari, Chrome, Notes, or a password manager.
Check trusted phone numbers and recovery contacts.
Check whether the daily user can change account settings, passcode settings, cellular data settings, VPN profiles, or device-management profiles.
For Mac, check whether the daily user is an administrator and whether they can access FileVault recovery keys.
Move the relevant password, passcode, and recovery paths to the trusted person.

Google and Android audit

Identify the Family Link parent account.
Check whether the parent account password is saved on the managed device.
Check recovery email, recovery phone, and backup codes.
Remove secondary Google Accounts that can install apps or change settings.
Check Chrome profiles on Windows, Mac, Linux, Android, and Chromebook.
On Chromebook, confirm the owner account is not the daily user's uncontrolled account.
Move parent-account and owner-account recovery to the trusted person.

Microsoft and Windows audit

Identify the Microsoft Family Safety organizer account.
Check whether the organizer password is saved in Edge, Chrome, Windows Credential Manager, or a password manager.
Check recovery email, recovery phone, and backup codes.
List every local administrator account.
Confirm the daily user is a standard user.
Find where BitLocker recovery keys are stored.
Move organizer, administrator, and recovery-key control to the trusted person if you need lockout.

Router, DNS, and network audit

List the router, modem, mesh system, ISP account, and DNS/filtering provider.
Find who controls the router admin login and recovery email.
Find who controls the ISP account used to reset equipment or change network settings.
Find who controls the DNS dashboard or local resolver admin page.
Check whether the router has a physical reset button that is easy to access.
Check whether guest networks, extra SSIDs, IPv6, or mobile hotspots bypass the filter.
Move admin and recovery control to the trusted person.

Handoff decision

Finding	Action
You know the passcode or password.	Change it with the trusted person present; do not learn the new one.
You can recover the account by email or phone.	Move recovery email/phone or add a trusted-person recovery path where appropriate.
You have backup codes.	Regenerate or transfer them so the trusted person holds the current codes.
You have admin/root access.	Create a standard daily account and let the trusted person hold admin/root credentials.
You can reset the device.	Use device management, ownership controls, recovery-key handoff, or network-level enforcement.