Please advise! My new setup, upgrading security, without having a usability nightmare?

Hi Everyone! I just signed up here and i really like the repulsiveness of this forum.

I recently had a hack on my social media (please see my other recent post ) , which made me think about completely upgrading my security strategy for the next 10 years, but i am thinking maybe i am creating a usability nightmare for myself.
So the question is: how to be safe while still having usable, fast to access apps on a daily basis?

I would appreciate everyone’s advise on my strategy.

What was my OLD setup:

  • Gmail for emails and a lot in the google ecosystem (docs, drive, google logins here and there). I had the same google email since many years ago.
  • I had the same phone number for more than 10 years, associated to most accounts. There have been some minor leaks of this number (according to haveibeenpwned, a facebook leak and theoretically a portion of the number -not complete- was also leaked from a crypto exchange recently, anyway i don’t hold a lot of crypto in exchanges and they all have authenticator 2fa regardless).
  • Most of my passwords are semi-unique. Meaning they are made of a combination of variables that are easy to remember for myself, but they change for almost every site. If someone would see only 1 of my passwords they would probably not guess the others. But if someone could see all my passwords they would probably figure out the pattern as it’s made in such a way that i can remember them myself.
  • From all my legacy passwords, only 1 has been publicly leaked and pasted, but i changed that password in almost every site a LONG time ago. We are talking like 10 years ago. However, someone could theoretically have logged in somewhere and get enough info to doxx me. I mean, based on old leaks, someone could have theoretically got my Email, old password, full name, and maybe country of citizenship, and at most phone number, based on some old KYC requirements. But thats about it.
  • I have google authenticator with 2FA with most of my social medias and financial accounts, but it gets tedious to scroll though the long list in google authenticator app (which does not have search! crazy from a search company).
  • My recent social media hack, was on one of the very few which had no 2fa, which had an old password (not publicaclly leaked, and almost-unique, but this password is 5-10 years old). I still think it is quite impossible to guess that password, given it was not leaked as it was not something easy to guess.

What are my plans for my NEW setup, and the problems i am facing in real life:

1- Move everything from gmail to proton. I already paid their 2 year plan and use their easy import tool (it is taking several days to move everything and still in progress). However. First problem i notice: The android app for proton is painfullly slow! I took for granted how fast gmail is. I open and close it in the blink of an eye. To the point i am constantly sending emails to myself as reminders, notes to self etc. Also looking for something like an old pdf to forward to someone on gmail is blazing fast. Proton seems to be painfully slow (i have over 20gb of data in gmail alone). I am starting to think using proton will be a huge downgrade in usability. Or maybe this is just because the import process is not complete yet? (it is in progress for several days now). Anyway if it will be so slow i am seriously considering going back to gmail. The question is: How bad is it to use gmail, if i am using 2FA anyway? I might as well just create a new gmail address for logins and replace my old one. Except for a scenario of a government breach (which would not be possible in Proton), i don’t see much benefit of using proton over gmail?

2- Use simple login and create a new login address for each website or at least for each category of website (socials, finance, etc). This seems valuable, as a hacker who would steal credentials for 1 website, would not be able to know i even have an account in another website, as the email for login is totally different, and also would prevent my main email account to be targeted for hacks. But i might as well also use gmail aliases, or secondary gmail accounts which will do forwarding to my main gmail account. And the result would be the same but with the added usability of gmail? Please correct me if am wrong. As i want to make sure i am not doing unnecessary stuff which will just make my usability poor.

3- Email people anonymously instead of giving my main email account. I can do this again with simplelogin, but creating reverse aliases to email someone seems to be a usability nightmare, as i am often on the go with my phone and need to send a quick email. I don’t have time to be logging into 2 websites (first simple login, create reverse alias, then log into proton mail on my phone, then send). That would take 2 seconds in gmail. Or i could just use again a secondary gmail account for emailing strangers and people in general. I would love advise wethere i am missing something here. Or i could use one of the 15 included aliases in proton as well. But that would not protect me from my main account being targeted for hacking. As the aliases in proton can be used for login to the main account. (But a separate gmail could do the trick with forwarding, as they are not really aliases)

4- Use a password manager (this is long overdue i should have done it before). Now there is a big question about usability. I am trying nordpass because they had a cheap subscription and good reviews. I like about them that they also track ALL emails for breaches, even if i have multiple logins for different websites. Competitors like 1password only track 1 email (in my case, the 1password registration email is not the same i use for websites, so its useless!). However: 1password offers the possibility to add 2FA keys into the password manager. I am on the fence about this: usability would be great, as it’s 1 less thing i have to worry about and i can do autocomplete! However, putting all eggs in 1 basket can be risky. Does anyone have any takes on this? Would you recommend 1password for this use case?

5- Change my number. This will be a pain also as my old number is associated with so many things. However, i just got a new number and moved my old number to google voice. That way i can still receive texts (banking alerts or 2FA if necessary) on my old number in google voice, and gradually start the painful process of moving all logins to my new number. The question here would be: Should i just keep my old number to the public? Meaning all my friends would know my old number, and my real number would be used for logins and nothing more. Is this a good strategy? Or does anyone have a better one? Please keep usability in mind when giving recommendations.

Important thing to note: I am not a desktop guy. I am always on the go, i work mostly on my phone and laptop. I do not have time to do a superlong process just to send a basic email or basic login. So i want to make my usability life manageable while still being as hack-proof as possible for the next 10 years.

Obviously this is a big change for me so want to make sure i am doing the steps in the right direction and not creating an unnecessary headache for myself.

Which of the steps above are useless or i can just avoid them? And which steps am i missing?

Thanks for the recommendations!

Google is quite good in terms of security. If you want privacy you probably should switch I guess. Not really necessary if you are looking for security benefits.

Use Aegis.

Turn on Google’s advanced account protection at Advanced Protection Program

Use Yubikey instead. You will require this for gaap too. But if you are using password manager then use KeepassXC. Use Argon2 or scrypt to encrypt your passwords.

Also use Windows or ChromeOS on your desktop. On laptop use ChromeOS or Mac.

Use Edge or Chrome on those platforms.

I am a SimpleLogin user and IMHO it is not that complex to use reverse-aliases.

You just give out your alias (for example - test_test@simplelogin.io) and when you want to reply to an email that you receive to that address you simply just reply and, it will show to the sender as coming from test_test@simplelogin.io. You don’t even need to create a reverse-alias.

If you want to send an email to somebody, just go into the ‘Contacts’ section of the alias you want to send from, enter their email address, copy the reverse-alias, and then send your email to the reverse-alias and it will appear to the receiver that the email is coming from test_test@simplelogin.io not the reverse-alias.

Hope this helps make reverse-aliases a little less complex :grinning:

If you are really concerned about putting ‘all eggs in one basket’ with your password manager you can have a word that you add to the end of each password when entering it into the service but you don’t put it into the password manager. For example;

I randomly generate, Password123, and that is what the password manager stores, but, on the website/service I enter Password123-word. This means that even if someone gains access to your password manager on your device unlocked, they can’t log in to the service as the password on the password manager isn’t complete.

Most password managers will use client-side encryption and zero-knowledge encryption, so they don’t even have access to your passwords in the first-place.

I would recommend Bitwarden as, they are open-source, well trusted and have a good track record (as far as I know). They also have the ‘Track ALL breaches feature’

In summary:
As long as you use a well-trusted password manager that uses zero-knowledge encryption (and is preferably open-source) you don’t need to worry about putting ‘all eggs in one basket’ but, do whatever works best for you :grinning:

2 Likes

This is most likely the fact that all your emails are being imported. When I imported my emails I got a warning that said something along the lines of, ‘Email loading will be slower’. If you have 20GB of emails it will most likely be slowing down Proton Mail a lot.

If once the import is over it is still slow, then you should contact support. If you still don’t have a solution then Proton Mail might not work for you. You could also import it in smaller chunks using the Proton Mail Import-Export App (Guide)

This is also what attracts me to new things.

For what i see about bitwarden, they are based in california and they are forced to give personal data to the government (i saw this in some reviews) which made me a bit hesitant.

I think for now i will stay with the regular solution of normal password manager (which i paid with crypto to make myself anonymous) + separate open source 2FA app.

I thought about adding a salt at the end of the password and having all in 1 basket but then it kills the simplicity and i might as well stay with the setup mentioned above

Thank you! the import is already finished and now proton is MUCH faster!

1 Like

Hahahah OMG i meant the “RESPONSIVENESS”, sorry about that:D

Wthat the fuccck? Edge Chrome Windows? Wow.

Security is OPs priority, not privacy.

I recommend you read through the whole thing before making these attacks.

If you want you can self-host Bitwarden. This will eliminate most trust in Bitwarden as you host the server.

Plus, all your passwords are encrypted with zero-knowledge encryption and Bitwarden applications are open-source, therefore, Bitwarden can’t see your passwords nor can the government.

1 Like

Did not see a response addressing your phone number change. I just responded to a different comment about why I maintain a gmail account. Maintain a phone number follows the same model.

I never lost my contacts, used a password manager for years. So I had thousands of contacts and about 400 accounts. It has taken a while to edit these accounts falsifying required fields verifying the changes and then deleting the accounts. I try to average one a day.

The email address i intend to maintain until there is no PII associated with those email address. It is easy for someone to see my PII with an old email account then check and see if that email address is available to create a new account.