Journey of improving security and account hardening

Actions I've taken to improve security and accounts hardening

When I first learned about haveibeenpwned a couple of years ago, it put into perspective how bad my security practices were. At that time, I committed all the primary sins:

  • Reusing passwords

  • Using the same email for everything

  • Using easy-to-guess passwords

  • Not using 2FA because it was annoying

  • Thinking I'm not important enough for anyone to do anything with my information

Then I pasted my old email into haveibeenpwned and saw an extensive list of how many times that email was found.

First steps

The very first thing I did was research how to mitigate risk, which summed up to the following:

  • Stop reusing passwords, silly

  • Stop using the same email

  • Make passwords hard to guess

  • 2FA all the things!

To solve the issue of password management, I registered for LastPass and started using it as my password management. Until one day, I lost the master password and had to start all over again. Still, the second time LastPass was the winner again (mainly due to familiarity).

I've also occasionally started cycling passwords but not keeping a proper schedule.

The nail in the coffin

When it comes to breaches and hacking, it's not if you get breached/hacked, but when. This last LastPass breach put into perspective how (un)safe your data can be. In the end, you trust a specific company with the keys to all your accounts (and extra things if you use them to store cards and notes).

It is evident that LastPass wasn't an option, so I started looking for a replacement. At the same time, I started following the #infosec tag in Mastodon and saw a lot of great content about the LastPass breach and alternatives from Jeremi M Gosney.

Enter BitWarden

In the end, I decided to go with BitWarden for two reasons:

  • Great price for the premium plan

  • Is Open Source

Migrating from LastPass was easy; all you need to do is export your data. The export was easy but left a sour taste in the mouth since it opened a new browser tab with all the data in plaintext in a CSV format.

Then all that was left to do was to use the BitWarden import option to import the CSV file. Once that was done, the highly tedious task of changing ALL passwords began!

Even though the task was tedious, it was good because I could delete a bunch of accounts I was no longer interested in having.

Account hardening

As with the first discovery of haveibeenpwned, this LastPass breach made me want to improve even more my security practices. I would have to rely on a company to help me with this task.

I've used both the email and VPN services from Proton in the past, and I like that they are both Open Source and focus on privacy. I was going to rely on Proton to help me harden my accounts. So it was a no-brainer.

Here's what I have implemented:

  • Regular password changes

  • Use email alias for different accounts through simplelogin

  • Delete any account that I haven't used in the past three months

  • Call email bankrupt to my other emails

  • Create a bunch of different proton emails for different purposes and use simplelogin to sieve email into through an alias

  • I got an Yubikey and started using it as a 2FA alternative

There are a lot of things that I could do to harden my accounts even further. Please share your thoughts and ideas!