Feeling overwhelmed

It all started with me wanting to ditch Gmail. I went into a rabbit hole of finding the best email provider alternative for me and discovered email aliasing services. I’m not 100% sure of my decisions and I don’t know how reliable are my new services so I decided to go with a custom domain, that way I can change/re-route everything if needed.

So I setup SimpleLogin with the goal to use a different email for each service. But since I use my own domain, I didn’t want to have the name of the service (ex: privacyguides) in the alias. So I went for totally random aliases.

But I must tell you, this does NOT spark joy. I only migrated 12 emails so far and I’m already overwhelmed by the sight of all these meaningless, random characters sequences emails. What will it be for my ~800 accounts in my password manager?

Another worry hit me: what if I lose access to my password manager? Then I can’t even use the reset password feature since I won’t even know what my email is! And I’m not certain to have all the records in SimpleLogin since I’m using catch-all.

Also, I feel like using an aliasing service widens my attack surface? I wouldn’t want to use it for sensitive accounts. What if someone succeeds in plugging itself silently to SimpleLogin and also receives or intercepts all my emails?

So now I’m reconsidering my choice of using a different email for each service and using an aliasing service at all. I like to keep things tidy so having a predefined list of aliases for dedicated purposes (bank, newsletters, etc.) sounds a better match for my sanity.

I thought a bit more about my threat model:

1. What do I want to protect?
   • Documents storage
   • Photos
   • Recovery email
   • PII
2. Who do I want to protect it from?
   • Documents storage → malicious access, lost
   • Photos → malicious access, lost, AI training
   • Recovery email → malicious access, lost
   • PII → data breaches, reselling, profiling
3. How likely is it that I will need to protect it?
   • I don’t know, it all depends on the security of what I’m using.
4. How bad are the consequences if I fail?
   • It’s not life or death, but I would be pretty devastated since I will lose a big part of my life.
5. How much trouble am I willing to go through to try to prevent potential consequences?
   • Big for things I don’t want to lose, or have malicious access. For the rest moderate. I also have other things I value like favouring non-profit or European or open source.

Sorry if this was long, I guess I just wanted to share my experience. Also I would gladly take any suggestions you have.

You should have at least three encrypted backups of your passwords, plus a physical paper copy of the master password stored somewhere safe. And I think using a custom domain is a bad idea unless it’s for a business. So for personal use, don’t bother with a custom domain.

Everyone got different policy on aliasing and alias naming. Some do servicename+salt like twitter.8462@, some do servicename+category+salt like amazon.shopping.3865@, some do totally random garbled like zf73hf9@, some do prounceable words like noisytree@ etc etc. Theres really no right or wrong there, its up to your personal preferences.

Thats really a risk for literally every password manager user but its still not a good reason to avoid using a password manager altogether. You do everything in your power to keep that risk possibility to a minimum like having an emergency sheet, doing weekly/monthly local backup, following 3-2-1 backup policy etc etc.

Thats the generic risk for every cloud email provider since its someone else handling the mail on your behalf. Not even unique to sl. You’d be having that risk with every mail provider out there, gmail, yahoo, proton, tuta, sl, addy etc etc. Unless you selfhost your mail yourself which is easier said than done.

If you’re looking for perfection it really doesn’t exist though. Everyone will have different setup, different policy on how they tackle security and/or privacy depends on their own needs and threat model. Take it slow to not be overwhelmed.

You may be overwhelmed by the ~800 accounts in your password manager. Not great advice maybe, but I suggest reducing the number of accounts as much as you can. I don’t think there is an optimum number, we all live different lives, but ~800 seems too many.

Given your password manager is your gateway to all the accounts, like @Blackbird suggested, you should maintain multiple ways for you (and only you) to retrieve your password database, else you risk losing all the accounts. I forgot where I read this, but: 2 or more copies, using 2 or more storage media/methods, kept in 2 or more physical locations.

You shared a lot but I’ll give you my two cents and some context for you to take it as you wish.

Wow. Didn’t know anyone could have those many legitimate accounts they use regularly. Perhaps look into curtailing those - do you really need all of them? That’s what I asked myself when I was detoxing my online presence and activity and moving into digital minimalism.

That should have come to mind well before. But here’s the thing - all you need to do is pick the right tool/app/password manager and choose a secure password you’ll remember like you’re name (in that you can never forget it, like you’re name but not your name as your password). Ideally, choose a password not associated with you or your life in any way. It’s also best practice to always and regularly back up your vault to keep it safe if you know how.

This is an irrational fear if you ask me and is not grounded in any sound logic. I think you’re developing hypochondria with this privacy stuff if this is the kind of thinking you have. It does not widen the attack surface and it would be impossible for anyone to know what your alias email is for any particular account unless they have access to your password manager in full. Using a secure password with 2FA should prevent these issues and consequently your concerns.

You should do what’s best for you as you see fit but I would not recommend using the same alias for multiple accounts.

For all the other details you’ve shared, I recommend following Privacy Guides and their recommendations for tools and apps you should use and how to harden them when you can. For most and even some high threat models, this is enough. I think you’re making yourself overwhelmed for reasons not grounded. This is not to say I am disparaging your concerns, but that’s what it feels/appears like from an outside perspective.

Also, if you’re still learning about all this privacy and security - don’t do it all at once. This stuff takes time. Learn and try and improve things at your own pace. Not everything needs to happen on day or week 1. This is a marathon you run and maintain. Not a sprint where you tire yourself out and quit improving your digital life at all.

Hope this helps.

As the advices given from the other members is enought, I am going to share my privacy (unfinished) journey with you in order to try to show you how long it can be and why you don’t need to worry that much/overwhelm about it:

First I did was to purchase Proton Unlimited for two years (which now I completely regret, but well thats another story) and began looking at my 4x Gmail addresses. At the end, I had like 200 accounts more or less. I was also impressed because I had accounts I did not know! So I decided to make a filter.

From 200 accounts, I decided I just needed like 80 or so, so I ditched 120 accounts. I logged on all those 120 accounts and I contacted to the support team to delete all the data (GPDR request also but prob they didn’t care). Meanwhile I was doing that I set up SL with PPass for the accounts I needed, configured VPN, set up Drives and Backups, OTPs…

After 7 or 8 months I think I finished to configure all above (maybe I was slow, but not so much free time for me).

I decided to ensure that none of the ditched accounts was accessible (all of them I was unable to login, so I guess they were deleted or deactivated in the best case).

After that, I started studying and reading more and more about privacy and security (PGP on emails, Linux (I used Windows all my life)… and continued doing changes, step by step (ditching whatsapp was a hard step until I convinced all my close people with my arguments and communication alternatives: Signal, phone calls…)

What I am trying to say to you is, take it down, take it easy. Do it step by step and continue progressing. Everything you do in favor of privacy will be a improvement.

On my case, after two years, I am still learning and applying privacy and security improvements on my life: some of them because I did not know, some because are new, some beacause I did not have enought time in the past.

For example, this year I switched from a Cloud storage provider to a Local Storage provider and from a Cloud password manager to a Local password manager. And currently I want to switch from ProtonMail to one with IMAP to be able to use my PGP keys and email clients (probably not a big improvement on privacy, but a small step I want to do).

Don’t do this. Use your own domain for services that do not accept alias emails and services connected to your identity. Having hundreds of randomly generated emails is just as messy as not using an alias service at all.

Consider the 3-2-1 rule. You should have multiple places where you can find ways to access your PW manager. For example I have my recovery codes in a physical vault, and an encrypted thumb drive if I lose access to my PW manager.

SimpleLogin has been audited in the past. I know this does not alleviate that fear but it is widely considered a secure service.

I’ll just start by saying that what you are feeling is perfectly normal and I would say that everyone who becomes aware of privacy issues today and starts to put some privacy measures in place goes through the exact same feelings that your having. For anyone to sit there and say otherwise is more than likely not being honest. You hit the nail on the head when you said you went down the rabbit hole. It really is a rabbit hole and it literally is never ending. There is NO PERFECT solution unless you consider shutting down all of your accounts and not using the Internet anymore and moving off grid and living off the land. That’s not really an option for most people and in my opinion. The best thing that I read was you need set out a plan of attack and chip away at it. Set small goals for each task. If your list is 10 tasks long, aim for the first one and break that down into smaller “checkpoints” and one you get to a checkpoint. Take a break. Go on about your business and get used to the new changes that you’ve put in place. Don’t even think about 800 emails. Start with a single email for a single thing. For example, switching your email over just for your bank accounts. Get used to using the email for that and don’t worry about the other ones until you get a handle on the banking. Then move on to another service. See if the system that your thinking of using for the banking becomes easier to use. Remember, your implementing a completely new system and it’s going to take time to get used to and it’s going to take more time to set it all up. Do it in stages. When you get comfortable with something then add something else.

It will be hard for me or anyone else to tell you what you should do. People can give you some ideas but even if someone tells you their exact system and writes everything out for you in steps that even a kindergarten class could follow, it doesn’t mean that system will work for you. The person who writes out the clearest instructions in the world and there’s still going to be questions and everyone can have totally different answers and ways of handling the situation. I hate saying this term but there really is no better way to say it but everyone’s “threat model" is going to be different. You might be focusing on email right now and the next guy is focusing on their browser worrying about fingerprinting. You might give two shits and a fuck about browser privacy.

Bottom line is don’t burn yourself out and stress on something like you’ll never be able to implement something and have it “perfect" it’s literally an on going “war" and will always be changing and adapting.

Just wanted to say I was where you are two months ago. It seemed like an insurmountable mountain.

First off, just know, privacy is a journey not a destination. You will develop good hygiene habits that will help keep you safe the most. Here are some changes I made.

0 switch to brave browser and duck duck go search. Or Something that doesn’t log etc.

1 got pixel phones with Graphene Os

2 got rid of Google cloud for an encrypted cloud like p cloud or tresorit

3 switched to yubikey passkeys for logins etc (make sure to have a second backup key for safety deposit box or house safe etc.)

4 deleted my unused gmails and Google cloud etc. Gboard etc.

5 got a VPN with mullvad for all my pcs and devices

6 turned off all auto login and PC and cell phone passkeys and always require login. (this is a big one you have no idea what devices are still in your Gmail account list)

7 get a Proton mail account or similar and generate an alias to use with it. Try not to put in your personal info if you can avoid it

8 optional - pay for VPN with Monero

9 optional for PC set up a startup script to randomize your Mac address. Graphene os does this for you on your phone.

Other than that just start practicing good hygiene like keeping Bluetooth mic camera always disabled unless you need it. Graphene os helps with that. Password keepers are gonna be necessary for strong passwords but just make sure you lock it down with its own strong password and memorize it. Every site a different password.

If also get rid of cell phone text for 2fa if you can. That’s where the yubikey and yubikey authenticator comes in key. Pun intended.

As I said it’s a journey not a destination. You want to leave less and less a personal footprint as time goes on. Always decline password saving. Always decline cookies etc.

MOST IMPORTANT DON’T CROSS THE STREAMS! It might shock you to know I’m neither a judge nor an Adam. Or maybe I am….. In other words do your damndest not to use any info on your private email or sites that can be linked to your public persona. I need Google for work so I don’t mingle info. Your old Gmail. Your old steam screen name. Your old apple profile name. Etc. Use nothing similar on your private persona that could match it up with a Google search. Your cats name. Your favorite handle. Hell even the numbers you use in your public gamer tags. Your private persona has to have no discernable link to your public persona or it’s all for naught.

Just remember nothing is 100% and human error is still the most exploited point of failure. But you can make it more difficult so maybe they move on to an easier target. In this digital age it is almost impossible to live without a public digital persona. Netflix shows. Work stuff. Etc. Just always be cognizant of what you do in “public. “ Always assume that persona is monitored.

You get it. Good luck!

I have Proton Unlimited and honestly, I wouldn’t know what to say about SimpleLogin even though I indirectly use it since I have an email for each account and the domains don’t end in Proton, but rather things like passmail .com and passinbox .com.

It takes me 10 seconds to create an email for a new account and that’s it.

If you already use Proton Mail and pay for SimpleLogin, you could switch to Proton Unlimited and have both since Proton uses SimpleLogin for aliases.

Whatever choice you make, SimpleLogin has had many security audits and is considered by many to be a solid service, so you can rest easy on that front.

800 accounts are indeed a lot. You can simply start by migrating the most important ones, like personal email, banks, social media, and anything else you deem important to protect.

The list should reduce to a few dozen. The rest you can do over time, whether it’s weeks or months.

If you have a common threat model and aren’t at risk of losing your life, it’s not a problem. The world of digital privacy is infinite, and there’s nothing wrong with not doing everything at once.

It’s possible that some accounts are no longer useful, so you might be able to delete them.

Most of us have accounts made years ago but forgotten or otherwise unused.

The motivation isn’t always there, but it’s better to at least care about the important ones rather than to think about how many accounts you have and do nothing.

You can make as many backups of your password managers’s vault as you want; they’re simple to make and import back into an account, even an external one (both offline and online).

For example, let’s say you lose access to your Bitwarden account, but you had a backup of the vault.

Just put it on another account, even with a free tier, and if they were unencrypted you’ll have zero problems.

Of course, an encrypted vault isn’t exactly ideal, but if you really want to be 100% sure, you can have an unencrypted copy on a Veracrypt-encrypted drive.

In that case, you still have solid encryption. Regarding how to remember the password or ideally the passphrase of the password manager, there’s a guide by Privacy Guides.

It’s designed to have a passphrase that’s easy to remember but hard to crack, a single password to protect all the others.

If you don’t feel like remembering a passphrase at first, you can still use a phrase you remember that’s 25-30 characters long.

Less optimal, but better than potentially abandoning password managers.

So, about the potential increase of attack surface. This isn’t an issue exclusive to aliases; any client like Gmail and Proton is affected.

The real problem, as always, is protecting your accounts well through solid email clients like Proton and Tuta, having good passwords, and using 2FA like authentication apps and security keys like YubiKey or using passkeys.

If an attacker gets into your Proton account you could have trouble, just like with SimpleLogin, Gmail, and so on.

Regarding documents, it depends on what you want to do. There are secure online drives that care about privacy, like Proton Drive, and Privacy Guides has an article on this.

This is an example of an important account to prioritize. Use a good password and solid 2FA as mentioned above.

Regarding losing them, the advice, as already mentioned, is to use the 3-2-1 rule.

Three copies of the backup, on two different media, and one off-site.

Make regular backups (like once a month) on a flash drive, external SSD and HDD, whatever you have, and a cloud or a physical copy not at your home.

It may seem like a hassle at first, but you can start simply by making a single backup on a physical device and uploading it to Proton Drive, so you already have two extra copies.

After that, doing it once a month becomes a habit and shouldn’t take much time. There’s a yt video of Explaining Computers called “Data Backup: The 3-2-1 rule.”

It’s a bit old, but still relevant. Obviously you could view or read something else about it.

The same classic advice applies to photos and documents: protect your devices well with good passwords, disk encryption on PCs, the usual general advice on protecting personal devices, which I won’t go into detail here.

You can find them here, from Techlore, on the EFF website, on Naomi Brockwell’s channel, and so on.

Regarding AI training, I wouldn’t upload photos, at least not personal or sensitive ones, to clouds like Google Drive.

I’d keep them on my personal devices, locally or on privacy-respecting clouds, and here I’d add Ente Photos.

Preferably, I wouldn’t upload sensitive content on the internet or on social media and keep them to mysel and not sending them in general. That way, you should have avoided many hassles.

Regarding PII, I’d also cite the sources mentioned above (like Privacy Guides and EFF).

To name a few, disk encryption on PCs, using VPNs, browsers like Brave, using sites only in HTTPS or forcing them with the browser, avoiding unprotected public Wi-Fi.

Use encrypted messengers like Signal (even WhatsApp is better than nothing), minimize personal information published on social media and the internet.

Use as many privacy-respecting services as possible, even using Linux and android distributions like GrapheneOS helps a lot.

Online, if you’re not using your public identity, try not to share personal information, don’t use your real name, and try to be as anonymous as possible.

There are many things you can do. The term “can” is important. You can do them tomorrow or next week calmly; no one is chasing you.

You can prioritize certain things if you think your threat model requires it more and do (if you want) the other things at another time.