Email hygiene - Compartmentalizing email addresses for better privacy and security
The email address has become indispensable these days with most websites making it mandatory for registering or signing up for their services.
Email hygiene is often neglected by average users. Most do not consider an email address to be sensitive information. The email address has become indispensable these days with most websites making it mandatory for registering or signing up for their services.
I see many of my relatives, friends, and colleagues often using a single email address to create multiple accounts across many web applications.
There are some, who are security conscious. They may have an email address or two for creating legitimate accounts on web applications where they may need long-term access and a fake email address for logging in to websites like newsletters, news websites, blogs, and the like. This is not good email hygiene!
A quick shout out! Here's a “video version” of the article. If you are the visual type, I recommend watching the video. I bet you’ll enjoy it :)
To be honest, I was like this a few years back. Even after I became security conscious, I never had a “system” or “strategy” for email hygiene. At least, not until I heard the “Email Strategies” episode on Michael Bazzell’s Privacy, Security and OSINT podcast. The discussion between Michael Bazzell and Justin in this episode got me thinking. They emphasize having a “system” for email hygiene and rightly so. I highly recommend listening to this episode. They give you some great tips and I was inspired to write this post after listening to it.
💡Who is Michael Bazzell?
For peeps who don’t know Michael Bazzell, he investigated computer crimes on behalf of the government for over 20 years. He now hosts the weekly Privacy, Security, and OSINT show, and assists individual clients in achieving ultimate privacy, both proactively and as a response to an undesired situation. In fact, he served as the technical advisor for the first season of the television hacker drama Mr. Robot.
What’s the deal?
Well, an email address is sensitive information, just like your password. You usually require an email address and a password to log into a web application. But, the fact that only passwords are typed out in asterisks has primed us into believing email addresses are not sensitive data.
But, why the paranoia?
Data dumps of breached credentials are quite a hazard. Most times passwords are hashed, not email addresses. They may be sitting there in plain text. To make things worse, data breaches unfortunately, have become quite common. This paves ways for bad actors to employ spam and phishing attacks.
If your email address is public knowledge, bad guys could scout around data dumps to check if they could get a hit on a password corresponding to your email address.
One of the main concerns is the fact that most web applications make use of your registered email address to help reset your account passwords!
Your email address, if you haven’t realized it, is a window into your digital life. Try to recollect the number of applications you may have registered to with your email address. Some people have their social media, banking, and shopping accounts all linked to a common email address.
What you could do…
Now, before discussing further, let me tell you, there is no one right way to do it. Any strategy is subject to your level of paranoia. How robust do you want your privacy and security to be? Maybe you have a better strategy than the one I am going to outline. It's subjective. But, here’s what you could do.
Designate your email addresses
Never use your personal email address for registering to web applications. Share it only with friends and family.
Have a separate email account for banking and other financial services. Again, never use this email address for any other purpose.
Have a separate email address for registering to social media websites. Or maybe you could use different aliases for all social media accounts.
Use a unique email address for shopping and e-commerce.
Finally use a junk email address for purposes like signing up to newsletters, blogs, forums, and other websites.
The idea here is to not have a single point of failure. Having just one or two email addresses where most of your accounts are linked would prove to be risky. However, I understand this could be quite a hassle. There a two things you could do to make this task easier.
Use burner email services like SimpleLogin or Anonaddy to create multiple burner email aliases. Rather than having to create multiple email addresses, you could create burner email aliases on the fly and use them without having to risk giving away your real email address.
Email providers like Protonmail and Tutanota give you the option of creating multiple aliases under a single account. If you could spare some cash, these two email providers would be a great option. Not only do they give you the option of creating multiple aliases, but they are also end-to-end encrypted services, which is great for privacy.
💡Caution when using burner email addresses
Exercise caution when using burner email services. There are chances web applications may block the burner email alias, potentially blocking you out of your account. Use them only for junk services. Do not use them with applications you may want to have a relation with long-term.
It’s not enough to just create a strategy. Secure your email accounts!
Use unique passwords for every email address created. This goes without saying. The whole purpose of creating a secure system goes for a toss without having a unique and strong password for every account.
Activate 2 Factor-Authentication Don’t get complacent as a result of having unique passwords for your email addresses. I would suggest activating 2-FA in all your email accounts.
Create dedicated “Recovery email addresses”
Many would consider this a stretch, but I would suggest creating two unique email addresses for the sole purpose of being recovery options. Never use these email addresses elsewhere. Make one the recovery option for all your email addresses including your second recovery email address. Make the second recovery email address the recovery option for your first recovery email address. Understand by doing so, this could be a point of vulnerability. Create your recovery emails with hard to guess usernames and activate 2FA.