e-mail accounts are a pretty serious single point of failure, more so than I think most people ever consider. Recovery accounts and 2 factor authentication help (if you have them setup), but there is a new option that a lot of people won’t know about. email address aliases.
An idea I had some time back was to have a different login name for e-mail accounts to the actual e-mail address, since you address is public. Rather than login in with firstname.lastname@example.org I would login with something like “mynickname987”. This isn’t a perfect security answer, but I think it could help in a lot of cases.
Later I had an even better idea (I’m full of them), what if I could have a different e-mail address for every sign-up I did. That seems like a logistic nightmare, but there is now a simple way to handle it.
For a long time Microsoft and Google (maybe others too) allowed you do add an extension to your e-mail address, such as “email@example.com”. That way when you got an e-mail from a Nigerian Prince to “firstname.lastname@example.org” you know that dodgywebsite leaked your e-mail address. Those bastards!
But what if the e-mail from that ‘Prince’ arrived at your actual e-mail address? It’s easy to strip out the “+dodgywebsite” part, then you don’t know who leaked it. Even worse, you actual e-mail address is now on some Nigerian Prince mailing list.
Outlook and Gmail now both let you add other accounts to your main one. Now I can do something like this:
Main account – “email@example.com”
Alias account – “firstname.lastname@example.org”
Sign-up – ” “email@example.com”
Now if I start getting spam to my sign-up alias, I can create a new one and move everything over to that. This is still a lot of effort, so I’ll probably create a new alias each year and have another one for trusted sites.
Another benefit of trusted sites is making phishing e-mails easier to spot.
If I have the alias “firstname.lastname@example.org” and use the extension “email@example.com” for my PayPal account, then when I get one of those fake PayPal e-mails to any other address, it is even more obvious that it is a scam.
Obviously this is still a complex way of managing e-mail. Will the benefits out way the time and complexity. I suspect for most people they won’t, since most people done even take simpler steps towards better online security.