We use Google for email. Wouldn’t even try to host it ourselves.
LastPass for password management but Google accounts are the only ones we don’t keep in it.
So we each change our master LastPass password and Google password regularly. I should be more regular though I kinda just make everyone do it when I see a post like this...