Your question is unanswerable because the crux of your question is
Would this be enough?
For any set of actions A, the question of whether A counts as enough depends on how imaginative you are, in terms of what might happen that could conceivably cause the identities to be "merged" into one, in the eyes of a given individual.
Some things to consider:
-
Almost regardless of what you do, Advanced Persistent Threat (APT) organizations, such as the NSA, will be able to fairly easily merge two alternate identities into one, simply by using their privileged status to force VPN vendors or service providers to disclose information about who connected and when, under what IP and under what account.
-
On the other extreme of the spectrum, a typical person who is not well-versed in technology will be unable to tell that you are one person running two accounts, even if you use the same IP and web browser to access some website, and just create two accounts with different email addresses, and don't use a similar-enough writing style (same typos, etc) to be detectable as unique.
The problem is that the information (the core set of knowledge itself) surrounding your control of two "separate" online "personas" is not cryptographically secure. It is impossible, indeed, to make it cryptographically secure.
By "cryptographically secure", I mean that it is possible, in a reasonably small number of "steps", to define exactly how the personas merge into one, i.e., you the real-life person.
Take for example the situation that you described. Assuming that legal and company-private barriers are immaterial to the attacker, they can obtain a knowledge-chain like the following, which as you can clearly see is not cryptographically secure, because there are only a few steps:
- You transferred $X amount of money to VPN provider V1, using your home IP address to access their site. (even if you use Tor, know that many APTs are exit nodes for Tor and will very carefully inspect your traffic to glean exactly this kind of information; Tor is not nearly as anonymizing as it was once thought to be).
- You transferred $Y amount of money to VPN provider V2, using your home IP address to access their site.
- You connected to V1's VPN server.
- You used V1's VPN server to access forum
foo
andbar
, and logged into them using accountsfoo1
andbar1
. - You used V2's VPN server to access forum
foo
andbar
, and logged into them using accountsfoo2
andbar2
. - Therefore,
foo1
andfoo2
are the same person on forumfoo
, andbar1
andbar2
are the same person on forumbar
.
This knowledge chain is so simple that it's like making your password for your banking site, "password". This is not information-theoretically challenging in any way; all that remains is for an organization with the correct skills and/or the correct authority, to obtain this extremely small number of facts, and they've got you.
There is no way that I know of to escape this simple fact. It all comes down to who you're hoping to conceal your true identity from, and how skilled you think they are (including, how skilled whoever they might hire to investigate you or your personas is).