The number one un-safe behavior that we have all been taught is trusting “Save password?” or "Remember me" prompts from our internet browsers. When you do this in your internet browser, it's saving them into the browser itself which means that if a bad actor decided to infect your phone with browser info stealing malware then they'd have full access to all of those passwords, AND your login tokens from clicking "Remember me" or from your cache/cookies if you're not regularly clearing those like you should be. This means they'd be able to log in as you, and you wouldn't even see them as an additional device- it'd just appear to be YOU. Creepy right?
The other behavior I truly believe we all need to modify right away is trusting cloud backups of literally anything private (photos, passwords, notes, connecting other apps to it, etc). The issue here is that 1) you're automatically backing up who knows what, which then becomes who know who's data if a compromise ever occurs. 2) Services that are connected together make it INCREDIBLY easy for bad actors to then gain access to your entire life (like G0--le services, where you use a single email to access a trillion different tools, AND whatever websites you clicked "Sign up with Gm--il/G0--le" on.) These conveniences are FREE and simple to benefit someone... and it's not us. Remember- when something is free, you are the product.
These webs of connectivity are why escaping stalking feels so impossible- if you don't handle every. single. entry point... then they will find a way back in and get to your information again. Now that we know that “save password?” is something you should click “NEVER” on from here on unless it is specifically coming from your Encrypted Password Manager (info below) - Let’s start digging yourself out of the unfortunate position of having all of your passwords saved in an unprotected manner like this.
First: In your browser(s) of choice, go into the settings and check out your password manager. Turn it OFF - Now for everything that's saved in here, you're going to want to follow the instructions below to migrate them into your password manager.
Step 1: Download BitWarden and BitWarden Authenticator
((Don’t register yet!! Read Step 2!))
(Click here to download BitWarden) BitWarden is an encrypted (un-copyable) password generator and manager. Meaning it will help you create safe passwords so you don’t even have to think about them, then it will also help you save them in an encrypted app that will live on your phone or PC. You’ll log into the app, then copy & paste your passwords every day. No memorization, just ease! You'll get used to it super fast I promise. :) (Click here to download BitWarden Authenticator)
Step 2: BEFORE YOU REGISTER – Create a new email for your password manager.
I recommend that you create a BRAND NEW email JUST for this purpose (I recommend a free Proton acct, although limited storage – It will work for this and isn't connected to your other services! (click here to create a free Proton email ) I do NOT recommend the G-brand email that everyone uses because it is often integrated into FAR too many services. It just isn’t safe, especially if you have been or believe you could have been targeted by abusers/hackers/etc. IF someone has accessed your un-encrypted passwords (by using your computer, plugging into your phone, plugging your phone into something disguised as a "normal charger" or to their PC, getting you to click on a phishing text/email to install malware to steal your browser's passwords and login tokens, etc), then signing up for your new password manager with one of your current, possibly compromised emails is NOT a safe move. If you believe your device is compromised, click here for an article about getting a safe side phone to begin your process of building a new, safe life online.
Because we have some settings to modify, sign up for Proton Mail in a browser on a clean device, not in the Proton Mail app. DO NOT click “Save Password” on ANYTHIIIING lol – Write the password you create down for now!! Make sure it’s multiple words unrelated to your life, capitol letters, numbers, and some symbols. You WILL be able to save this in your password manager in a bit!
Step 3: Register for BitWarden with your NEW eMail
Once you sign up for your new Proton email, NOW register for BitWarden within the app using that email – Write your BitWarden email & password combo down (as you won’t be able to access it within BitWarden when you’re needing to log in to BitWarden… because it’s inside! Lol – Also make this password secure, unpredictable, and keep it somewhere safe. Eventually you’ll memorize this because you’ll need to type it in every day so don’t make it TOO crazy, but keep a back up written down anyway!)
Step 4: Creating your First Login Entry!
(Click here for instructions from BitWarden on how to create new entries!) Within BitWarden, go ahead and click the little plus sign at the bottom right and create your first login entry with name titled “Proton Mail” (include the space for easier searching).
Enter your new email in the email/username field, manually type in the password you wrote down for your new Proton Mail in the password field and click save at the top! Congrats on your first entry! :D
You’ll create entries for things as you go along your password resetting journey (which you should begin NOW by the way- Reset passwords to EVERYTHING if you believe you've been compromised and save them all in BitWarden! Check out Step 6 before you start going ham though! While you're resetting passwords you should also be setting up 2FA/MFA/Multi-Factor Authentication via TOTP).
In the future you’ll add an entry for whatever platform you're resetting your password for (just click "forgot password" on the login page to do this fastest BTW), click the circle arrows to the right of the password field to have it generate passwords for you (select your variations like using multiple words, symbols, and numbers), and save your entry, THEN copy / paste it into the new password field of whatever you're editing. Don't make the mistake of generating it, NOT saving it, then leaving the BitWarden app because if you come back it may have generated you a new one by the time you get back. SAVE first, THEN copy and paste it into the new password field. :)
Step 5: Integrating BitWarden Authenticator
Now that you have signed up for BitWarden, go ahead and open the BitWarden Authenticator app and follow the straight forward instructions to connect it to BitWarden. Click yes for syncing. It’ll walk you right through it – super easy.
Step 6: Enable 2FA/Multi-Factor Authentication on your New eMail
Now that you have both of those connected, go to your ProtonMail in your browser (or log back in) and go to the settings. You’ll need to turn on 2FA also known as MFA / Multi-Factor Authentication immediately to keep this new email safe (Click here to read another post about 2FA/MFA/Multi-Factor Authentication)
Click here for instructions on how to set up 2FA/MFA for Proton Mail!
Step 7: Enable Multi-Factor Authentication on BitWarden
You'll want to set up 2FA/MFA/Multi-Factor Authentication for your new password manager login also. Personally, I purchased a YubiKey and I use it for my high priority login 2FA/MFA - But for now, you can set up "Authenticator App" / TOTP / Timed Code authentication. There are important notices about saving your "recovery code" in case you ever get locked out, make sure you WRITE THAT DOWN (in the same place you wrote your password for BitWarden, HIDE those!!) -- (Click here for the instructions for enabling 2FA/MFA for BitWarden)
Step 8: Start Resetting Passwords & Setting up 2FA/MFA
Now that you have your new email and your new password manager secured, it's time for you to start resetting passwords and saving new entries for all of your services!
PRIORITIES: Your phone's automatic backup CLOUD ACCOUNT. IMMEDIATELY!! (iCloud, Samsung Cloud, Whatever it is!! Any and ALL cloud accounts. Log into it in a browser and reset + MFA that thing NEOW. That's the number one thing abusers take control of.
► Critical: Your current and previous Apple ID/Samsung ID/Whatever Cloud/Phone login IDs first!
► Highest Priority: ALL of your old emails next, then anything you know is compromised (settings being changed, etc).
► High Priority: Financial (paypal, venmo, cashapp, 401k, investments, anything work related, cryptocurrency – you will need to move your crypto portfolio to a new wallet if you were compromised)/banks, utilities, govt websites, healthcare, medical, social medias, rent portals, USPS informed delivery, online security cameras, vehicle connected car/telematics account (location tracking risk- contact your dealership or where you bought the car to reset the login for this if you don't know how) etc.
► Medium Priority: Apps you love, whatever you use every day, gaming service logins, streaming services, online shops, Amazon- especially if it’s linked to devices that listen in or monitor your home (Alexa, voice activated anything, cameras, etc), grocery stores, delivery services, etc.
► Low Priority: Random one time use logins on websites you bought something from once, an app you tried for a week, rewards memberships, etc. If you still care about these definitely reset them, but they’re definitely not emergency reset level. Save them for later if you’re scrolling down your saved logins list.
You don't have to do this all in one day, but if you nail the big ones on the first day you'll be able to breathe a lot easier. :) It's totally normal to go to log into something one day and realize "oop, I haven't done this one yet" - Don't stress. If you want to be SUPER thorough, you can open up your saved passwords list in Chrome or your phone keychain to scroll through there and find which ones you want to do first!
You're headed towards digital sovereignty, so proud of you! (Search online "How to set up 2FA/MFA for (platform)" if you ever need guidance, you'll always be able to find walk throughs for this stuff!)