Hi Everyone! I just signed up here and i really like the repulsiveness of this forum.
I recently had a hack on my social media (please see my other recent post ) , which made me think about completely upgrading my security strategy for the next 10 years, but i am thinking maybe i am creating a usability nightmare for myself.
So the question is: how to be safe while still having usable, fast to access apps on a daily basis?
I would appreciate everyone’s advise on my strategy.
What was my OLD setup:
- Gmail for emails and a lot in the google ecosystem (docs, drive, google logins here and there). I had the same google email since many years ago.
- I had the same phone number for more than 10 years, associated to most accounts. There have been some minor leaks of this number (according to haveibeenpwned, a facebook leak and theoretically a portion of the number -not complete- was also leaked from a crypto exchange recently, anyway i don’t hold a lot of crypto in exchanges and they all have authenticator 2fa regardless).
- Most of my passwords are semi-unique. Meaning they are made of a combination of variables that are easy to remember for myself, but they change for almost every site. If someone would see only 1 of my passwords they would probably not guess the others. But if someone could see all my passwords they would probably figure out the pattern as it’s made in such a way that i can remember them myself.
- From all my legacy passwords, only 1 has been publicly leaked and pasted, but i changed that password in almost every site a LONG time ago. We are talking like 10 years ago. However, someone could theoretically have logged in somewhere and get enough info to doxx me. I mean, based on old leaks, someone could have theoretically got my Email, old password, full name, and maybe country of citizenship, and at most phone number, based on some old KYC requirements. But thats about it.
- I have google authenticator with 2FA with most of my social medias and financial accounts, but it gets tedious to scroll though the long list in google authenticator app (which does not have search! crazy from a search company).
- My recent social media hack, was on one of the very few which had no 2fa, which had an old password (not publicaclly leaked, and almost-unique, but this password is 5-10 years old). I still think it is quite impossible to guess that password, given it was not leaked as it was not something easy to guess.
What are my plans for my NEW setup, and the problems i am facing in real life:
1- Move everything from gmail to proton. I already paid their 2 year plan and use their easy import tool (it is taking several days to move everything and still in progress). However. First problem i notice: The android app for proton is painfullly slow! I took for granted how fast gmail is. I open and close it in the blink of an eye. To the point i am constantly sending emails to myself as reminders, notes to self etc. Also looking for something like an old pdf to forward to someone on gmail is blazing fast. Proton seems to be painfully slow (i have over 20gb of data in gmail alone). I am starting to think using proton will be a huge downgrade in usability. Or maybe this is just because the import process is not complete yet? (it is in progress for several days now). Anyway if it will be so slow i am seriously considering going back to gmail. The question is: How bad is it to use gmail, if i am using 2FA anyway? I might as well just create a new gmail address for logins and replace my old one. Except for a scenario of a government breach (which would not be possible in Proton), i don’t see much benefit of using proton over gmail?
2- Use simple login and create a new login address for each website or at least for each category of website (socials, finance, etc). This seems valuable, as a hacker who would steal credentials for 1 website, would not be able to know i even have an account in another website, as the email for login is totally different, and also would prevent my main email account to be targeted for hacks. But i might as well also use gmail aliases, or secondary gmail accounts which will do forwarding to my main gmail account. And the result would be the same but with the added usability of gmail? Please correct me if am wrong. As i want to make sure i am not doing unnecessary stuff which will just make my usability poor.
3- Email people anonymously instead of giving my main email account. I can do this again with simplelogin, but creating reverse aliases to email someone seems to be a usability nightmare, as i am often on the go with my phone and need to send a quick email. I don’t have time to be logging into 2 websites (first simple login, create reverse alias, then log into proton mail on my phone, then send). That would take 2 seconds in gmail. Or i could just use again a secondary gmail account for emailing strangers and people in general. I would love advise wethere i am missing something here. Or i could use one of the 15 included aliases in proton as well. But that would not protect me from my main account being targeted for hacking. As the aliases in proton can be used for login to the main account. (But a separate gmail could do the trick with forwarding, as they are not really aliases)
4- Use a password manager (this is long overdue i should have done it before). Now there is a big question about usability. I am trying nordpass because they had a cheap subscription and good reviews. I like about them that they also track ALL emails for breaches, even if i have multiple logins for different websites. Competitors like 1password only track 1 email (in my case, the 1password registration email is not the same i use for websites, so its useless!). However: 1password offers the possibility to add 2FA keys into the password manager. I am on the fence about this: usability would be great, as it’s 1 less thing i have to worry about and i can do autocomplete! However, putting all eggs in 1 basket can be risky. Does anyone have any takes on this? Would you recommend 1password for this use case?
5- Change my number. This will be a pain also as my old number is associated with so many things. However, i just got a new number and moved my old number to google voice. That way i can still receive texts (banking alerts or 2FA if necessary) on my old number in google voice, and gradually start the painful process of moving all logins to my new number. The question here would be: Should i just keep my old number to the public? Meaning all my friends would know my old number, and my real number would be used for logins and nothing more. Is this a good strategy? Or does anyone have a better one? Please keep usability in mind when giving recommendations.
Important thing to note: I am not a desktop guy. I am always on the go, i work mostly on my phone and laptop. I do not have time to do a superlong process just to send a basic email or basic login. So i want to make my usability life manageable while still being as hack-proof as possible for the next 10 years.
Obviously this is a big change for me so want to make sure i am doing the steps in the right direction and not creating an unnecessary headache for myself.
Which of the steps above are useless or i can just avoid them? And which steps am i missing?
Thanks for the recommendations!