When I first learned about haveibeenpwned a couple of years ago, it put into perspective how bad my security practices were. At that time, I committed all the primary sins:
Using the same email for everything
Using easy-to-guess passwords
Not using 2FA because it was annoying
Thinking I'm not important enough for anyone to do anything with my information
Then I pasted my old email into haveibeenpwned and saw an extensive list of how many times that email was found.
The very first thing I did was research how to mitigate risk, which summed up to the following:
Stop reusing passwords, silly
Stop using the same email
Make passwords hard to guess
2FA all the things!
To solve the issue of password management, I registered for LastPass and started using it as my password management. Until one day, I lost the master password and had to start all over again. Still, the second time LastPass was the winner again (mainly due to familiarity).
I've also occasionally started cycling passwords but not keeping a proper schedule.
The nail in the coffin
When it comes to breaches and hacking, it's not if you get breached/hacked, but when. This last LastPass breach put into perspective how (un)safe your data can be. In the end, you trust a specific company with the keys to all your accounts (and extra things if you use them to store cards and notes).
It is evident that LastPass wasn't an option, so I started looking for a replacement. At the same time, I started following the #infosec tag in Mastodon and saw a lot of great content about the LastPass breach and alternatives from Jeremi M Gosney.
In the end, I decided to go with BitWarden for two reasons:
Great price for the premium plan
Is Open Source
Migrating from LastPass was easy; all you need to do is export your data. The export was easy but left a sour taste in the mouth since it opened a new browser tab with all the data in plaintext in a CSV format.
Then all that was left to do was to use the BitWarden import option to import the CSV file. Once that was done, the highly tedious task of changing ALL passwords began!
Even though the task was tedious, it was good because I could delete a bunch of accounts I was no longer interested in having.
As with the first discovery of haveibeenpwned, this LastPass breach made me want to improve even more my security practices. I would have to rely on a company to help me with this task.
I've used both the email and VPN services from Proton in the past, and I like that they are both Open Source and focus on privacy. I was going to rely on Proton to help me harden my accounts. So it was a no-brainer.
Here's what I have implemented:
Regular password changes
Use email alias for different accounts through simplelogin
Delete any account that I haven't used in the past three months
Call email bankrupt to my other emails
Create a bunch of different proton emails for different purposes and use simplelogin to sieve email into through an alias
I got an Yubikey and started using it as a 2FA alternative
There are a lot of things that I could do to harden my accounts even further. Please share your thoughts and ideas!