Security for Solo Founders: What Actually Matters (It's Not a VPN) (2026)

Quick verdict

Password manager is mandatory. Authenticator-app 2FA is mandatory. A VPN is situational, not the daily shield every ad pretends. Encrypted local storage for development keys matters more than most founders give it credit for.

And the thing nobody tells you: your email address has probably already been leaked by some badly-built SaaS you signed up to ten years ago. Password rotation and breach monitoring matter whether you are careful or not.

What I actually run: Bitwarden (planning to self-host Vaultwarden), Google Authenticator (migrating to 2FAuth), VeraCrypt for keys, and no daily VPN. Here is why.

Password managers: where your security money actually goes

If you only do one security thing, do this. Not a VPN. Not antivirus. A password manager.

The reason is simple. Every site you sign up to is a potential leak. You cannot prevent that, but you can make sure one leak does not cascade through every account you own. A password manager lets you use a unique strong password for every service, so when one gets breached - and one will - the damage is contained to that single service.

Three options worth considering:

Bitwarden is free for individuals, $10/year for premium features (YubiKey support, advanced 2FA, file attachments). Open source. The free tier is more capable than most paid competitors. It is what I use daily. The interface is functional rather than beautiful, but it does the job and the trust model is clean.

1Password starts at $3/month. Polished interface, excellent family and team features, clean mobile apps. If Bitwarden's UI puts you off or you need the sharing features for a small team, 1Password is the obvious upgrade. The founder-friendly plan is $5/month for teams of up to 10.

Proton Pass is the newer entry from Proton. If you already use Proton Mail or Proton VPN, it integrates into that ecosystem. Free tier is reasonable, paid plans start at €1.99/month. Worth considering if you are already invested in Proton.

What I would avoid: password managers bundled with antivirus suites. I used the one that came with Bitdefender for years. It worked well until a redesign made it harder to use, and by then I had years of entries to migrate. Bundled tools follow the parent product's priorities, not the password manager's. Standalone is better.

The self-hosted alternative: Vaultwarden. It is a rewrite of the Bitwarden server in Rust, API-compatible with the Bitwarden clients. Runs on any small VPS in a Docker container. Your vault stays on infrastructure you control. I am planning to migrate to this once my server setup is stable.

2FA and the backup codes lesson

Two-factor authentication on everything important. Not SMS - attackers can intercept SMS through SIM swaps. Authenticator apps (TOTP codes) are the standard. Hardware keys (YubiKey) are the upgrade.

The honest lesson I learned early: be disciplined about backup codes.

When you enable 2FA on a service, they give you one-time backup codes. Save them somewhere you can actually find years later. Not in the same vault as your password (if you lose access to that vault, you lose access to everything). A printed copy in a safe place or a separate encrypted file works.

I was flippant about this early on. Now, the thought of migrating my 2FA codes from one app to another makes me nervous, because losing that migration means losing access to every account it covers. That fear is the lesson.

Three options:

Google Authenticator is what most people start with. Free, simple, works. I use it today. The old version had no cloud sync, which meant a lost phone meant lost codes. The current version syncs to your Google account, which fixes that but introduces a different risk (if your Google account is compromised, so are your codes).

Authy has been popular for years for its cross-device sync and backup features. Ownership has changed, and 2025 saw some user friction around desktop app deprecation. Still functional, but less recommended than it was.

2FAuth is the self-hosted option I am migrating to. Open source, runs in a Docker container, your codes stay on your infrastructure. Export and backup are in your control. The setup cost is real (you need to run a server) but the long-term independence is worth it.

For critical accounts (email, banking, domain registrar), a hardware key like YubiKey adds a layer that phishing cannot bypass. $50 one-time cost, works for years, paranoid-grade security for the accounts that matter most.

The VPN honest section: when you need one, when you do not

This is where I will lose half the affiliate-review sites. I do not use a VPN daily, and I do not think most founders need to.

I have tried four over the years. Cryptostorm had the best privacy stance I ever encountered - genuinely anonymous payment options, no-logs audits, strong technical reputation. It also had a rough user experience for non-technical users, and the privacy-first support model meant that getting help was genuinely awkward (which was consistent with their values - they were not going to log who was contacting them). PIA and ExpressVPN were more polished, NordVPN had the broadest server coverage. All four slowed my connection noticeably. All four got me blocked from normal sites occasionally, because too many operators treat VPN traffic as suspicious.

At some point I stopped reaching for one. Speed and site-blocking were the surface reasons. The deeper reason was philosophical: VPNs are to privacy what email warmup services are to deliverability. You are told you must have one, the advertising is relentless, and the actual problem they solve is narrower than the marketing suggests.

The ad saturation itself is a signal. When a product is sold this hard on every podcast, every YouTube sponsor slot, every newsletter - it is usually because the margins are fat and the market is over-sold. It is not a reason to reject VPNs outright, but it is a reason to be sceptical of the "you need this every day" pitch.

When you actually need one:

Public wifi sessions where you are working with anything sensitive. A VPN is a real layer of defence when the network itself cannot be trusted.

Travel to countries where content is blocked or surveillance is meaningful. A VPN lets you access the services you normally use and adds a layer between you and the local network.

Geo-testing for your product. If you are building anything customer-facing, you need to see what your site looks like from different countries. A VPN is the easy way to do that.

Privacy-sensitive research. If you are researching topics where the search history itself is the risk (journalism, legal work, competitive intelligence), a VPN is the right tool.

When you do not need one:

Working from your home network on your own SaaS. The HTTPS connection is already encrypted. Your ISP can see which domains you visit but not what you do on them. A VPN shifts that visibility from your ISP to the VPN provider, which is not obviously an upgrade.

Accessing your own infrastructure from home. This is a different problem - remote access, not privacy. The right tool there is Tailscale or WireGuard, not a consumer VPN.

What I run: nothing daily. NordVPN installed for traveling and geo-testing. Not a subscription that earns its monthly cost. Your mileage may vary if you travel more, work on public wifi more, or work in a jurisdiction where a VPN is genuinely protective.

Keys and secrets: the not-ideal-but-honest section

Development API keys, server credentials, SSH keys, client data. This stuff cannot live in your password manager (mostly) and cannot live in plaintext (ever).

What I use today: VeraCrypt for an encrypted local vault. It creates an encrypted container file that mounts as a drive when you unlock it. Keys, notes, credentials live inside. When unmounted, the whole thing is a single encrypted file that is useless to anyone who does not have the password.

TrueCrypt was the original - widely trusted, open source, then mysteriously abandoned in 2014 with a strange "TrueCrypt is not secure" message on the site that nobody has fully explained. VeraCrypt is the fork that kept going. If you still have TrueCrypt installed anywhere, migrate.

Some keys live in other local-only spots that I am actively migrating out of. The honest answer is: my setup is not perfect, and I am moving toward proper secrets management rather than pretending I am already there.

The target: a self-hosted secrets manager. Vaultwarden has a secrets management add-on. Infisical is open source and built for dev teams. Either option keeps your secrets on infrastructure you control, with proper access logs and rotation support.

The important part: secrets should not live in your main note-taking app, a Google Doc, or committed anywhere near a git repository. I run gitleaks as a pre-commit hook on every repository I care about. It scans commits for common secret patterns before they are pushed. I installed it preventatively, not because I had been bitten. It has still caught things - usually demo API keys during development that would not have been a real exposure, but the habit of running the check is the point.

Assume-breach: your email is already leaked

This is the part most security advice skips. No matter how careful you are, your data is in other people's hands and some of those people will fail.

Over the last decade my email address has been in a long list of breach notifications. MyFitnessPal, where I tracked my calories for a while. A credit reference agency, which leaked a chunk of UK consumer data. Various smaller sites I signed up to once and forgot about. The pattern is universal - any service you have ever used can leak, and some of them will.

Concrete example. Early days of Twitter, I made an account, barely used it, left it dormant for years. Later I wanted to use it for a business plan. I had forgotten the password. When I tried the recovery flow, the account was already under someone else's control. Support would not help me prove I was the original owner. That account is now lost - a legacy identity out there that I no longer control.

The lesson is threefold.

First, use a unique strong password for every service (your password manager handles this automatically). When a service gets breached, the damage is contained.

Second, rotate passwords on important accounts periodically. The password you used five years ago is probably in a leaked database somewhere. If it is still your password today, that is a problem waiting to happen.

Third, lock down legacy accounts rather than leaving them dormant. If you signed up to something in 2012 and never went back, that account is an attack surface. Either delete it, change the password to something in your current vault, or accept it as lost. What you should not do is leave it sitting under an old password you used for everything.

HaveIBeenPwned (haveibeenpwned.com) is the breach monitoring tool everyone should use. Enter your email, it shows you every known breach that included your data. Enable notifications so you get alerted when a new one appears. It is free, run by a genuinely trustworthy operator, and it is how I found out about most of the breaches that affected me.

What you can skip

Antivirus suites. On a modern Mac or a current Windows install with browser hygiene and sensible download habits, the bundled protection is sufficient for most founders. Paid antivirus suites solve problems that stopped being the main threat years ago. Your threat model today is phishing, credential reuse, and social engineering - not exotic file-based viruses.

Paid VPN subscriptions if you never travel and do not do geo-testing. Sitting at home on your own network, running on your own infrastructure, the VPN is solving a problem you do not have.

"Dark web monitoring" SaaS. This is usually repackaged HaveIBeenPwned data with a subscription fee. HaveIBeenPwned is free and does the same job. Identity theft protection services can be useful in specific situations, but the dark web monitoring feature by itself is almost always worse than the free alternative.

Paid password audit tools. Bitwarden and 1Password both have free password health checks built in. Anything separately marketed as a "password auditor" is doing something you already have.

The self-hosted stack I am building toward

The direction I am moving: Vaultwarden for passwords, 2FAuth for authenticator codes, Tailscale for remote access to my own infrastructure, and a self-hosted secrets manager for development keys.

The honest caveat: self-hosting moves risk. It does not remove it. Instead of trusting 1Password or Bitwarden's operations team, you trust yours. If you are the only operator, that is you at 2am when the server has a problem. If you are not diligent with backups, you can lose your vault entirely. If your Tailscale setup has a misconfiguration, you can open your home network to the internet.

For people who are comfortable with Docker, Linux, and home server maintenance, self-hosting is a genuine upgrade in control. For people who are not, the managed versions are the better choice. Both answers are valid.

My home setup includes an Unraid server that handles storage and a range of self-hosted services, and Tailscale handling the secure connection when I am away from the network. It is a technical setup that took time to build, and I am aware that every added component is another potential vulnerability if I misconfigure it. That awareness is part of the security model - self-hosting is not a shortcut to better security, it is a trade of one risk profile for another.