If your setup includes a password manager, generated unique passwords and enabling 2FA everywhere you can, there's not much else to do.

Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.

Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)

I happen to think that having your password manager online is a mistake.

For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:

- SHA1 or NTLM hash prefix matching https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...

- actually download the HIBP db and check for yourself https://haveibeenpwned.com/API/v3#PwnedPasswordsDownload

Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes

password manager with 2FA / yubikey, randomized passwords per account, randomized account emails if your provider supports aliasing

What provider do you suggest? I've used Gmail all my life. Recently firefox started supporting forwarding, but that's only 5 emails.

I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment

Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar

If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price