You’re probably using the same email address for everything. Social media, finances, travel, shopping, and a thousand other mailing lists.
One of the biggest questions I hear people ask is what kinds of things they should be doing to stay secure online.
You might have heard experts telling you to use a different password for every account, but I’m telling you that if you’re not using a different email address for everything too, you’re just setting yourself up to be another cybercrime victim in the next major data breach.
At first glance, this might seem like a huge hassle and a total overkill. Which is why in this blog, we’re gonna go over exactly why a different email is absolutely necessary for your digital security, and show you an awesome service out there that allows you to easily achieve this.
Let me start by asking you: Which would you rather have posted on a public billboard: your password or your email address? In this case, your email is a much more sensitive piece of information since it can uniquely identify you and allow others to contact and reach you.
Whereas with just a password, it’s mostly useless by itself, especially when it’s random or used by many different people.
Emails are one of those things that are unique to you and rarely change since it’s a huge hassle to update them across your personal contacts.
Along with phone numbers, they’re usually the one shared identifier, that bridges your online and offline life.
While having the same email for everything makes it convenient to remember and share, it also creates a digital footprint across the entire Internet for companies to harvest and sell as well.
The thousands of marketing and spam emails sitting in your inbox can be pretty invasive and make you feel like you’ve lost control of your privacy and digital life.
There are also tremendous security risks too. When one of these companies that you have an account with suffers a data breach, all of this data ends up getting sold and traded on blackhat websites like Raidforums, OGusers, Exploit, or others on the darknet.
Your email addresses can then be used to aggregate other pieces of personal data about you. Eventually, they can gather enough intel to hijack your accounts through phishing, where attackers send you that attention-grabbing email pretending to be from some company, but it’s actually a fake website designed to steal your password or even your authentication tokens to bypass two-factor protection.
In more advanced cases, attackers will use spear-phishing, which are hyper-personalized emails with a malicious PDF attachment crafted to exploit your computer when you open it. This method is actually one of the most common techniques advanced attackers use to hack inside companies’ networks.
Was I Pwned
If you wanna see if your email address has been compromised in a data leak, one of the most popular search websites is haveibeenpwned.com, which was made by the Australian cyber expert, Troy Hunt.
All you need to do is type in an email address to see if it’s appeared in known data breaches. Searching for the yahoo address I had way back in grade school led to it appearing in at least seven different compromised websites.
All these accounts all had weak passwords that have all been dehashed and cracked over time. When you stuff the credentials across other websites you can also discover what other accounts you had registered using the same email or password.
Managing Multiple Accounts
With all that being said, you might be wondering: “dude, I’ve got a million accounts, how in the world am I gonna check a thousand different email addresses?” Well no worries, because there are many different services out there that let you generate masked email addresses that all forward to your primary inbox.
Many websites are now even supporting “Sign in with Apple”, which lets you use the “Hide My Email” feature, which works similarly.
One downside to these services is that since they all use the same base domain name or shared ones, websites may block them to prevent fraud and abuse.
A lot of these options are also proprietary and closed source, so there’s no strong assurance that these services don’t collect data from your emails when they get forwarded.
Which is why my favorite option is a service called AnonAddy, a newer project developed by the talented British developer, Will Browning.
It’s packed with features like custom domains to avoid blocking, GPG key support to encrypt the forwarded emails, and even being able to reply to emails from your masked addresses.
Best of all, it’s open-source and lets you be able to self-host on a private server somewhere. It’s got a pretty slick interface too that makes it easy to set up as well. Here’s how.
- So first, you wanna navigate to Anonaddy.com
- You can click register and pick something like a username that you want that will be used as a unique subdomain for your alias.
- You’re gonna put in your real email address, followed by a really strong password.
- So once you have registered for an account, you can just log in and generate, say, a new alias.
- The alias domain, you can choose, whether a unique one, with your username in it, which lets you create an unlimited number of masked addresses, or use a shared one, that uses their standard domain, which gives you a bit more privacy.
- The alias format for the free version, you can only use UUID. If you want random words instead, you’d have to subscribe to unlock. You can put in a description, just to keep track of the email addresses.
- Once you generate this alias, now you can copy it to do any kind of registration.
If you start to get a lot of spam emails from some companies, all you gotta do is deactivate the masked address so it stops forwarding the email to your recipient account.
You can also delete it, or restore it at a later time if you want to. In the recipient’s tab, we have a receiving email address you can actually use for receiving emails from your masked addresses.
You can also add recipients or add a public key as well. If you subscribe to Pro, you can also use a custom domain name for your masked address to bypass any kind of domain name block for masked services like AnonAddy.
And usernames lets you add additional ones if you want to have the flexibility to compartmentalize things.
So that’s AnonAddy in a nutshell. For just as little as a dollar a month, you get access to a ton of value-added in terms of privacy and security.
When you use a different email address for everything, you begin to apply the principle of compartmentalization to your digital life.
This means that when it comes to banking, investments, shopping, education, or entertainment, none of the login info actually gets associated with the personal email address you use to communicate with friends and family.
In terms of privacy, this means not having to deal with spammy clutter in your inbox, since your forwarding emails can be disabled, reducing the overall value to marketers looking to broker and sell your contact info.
There’s a sense of relief when you can actually have some control over this. In terms of security, having a unique email address makes for a great way to detect phishing emails and see if companies suffered a data breach.
For example, I once got an email to my personal address, saying my credit card account was deactivated. I immediately knew this wasn’t legitimate, because the real account was registered with a unique, randomly generated email and not my personal one.
If it was, I may have very well clicked the link and fallen victim to the phishing attempt. On the other hand, if I had gotten an email to this unique one from anyone else other than the credit card company, I’d know that a data leak happened.
Companies get hacked, and it’s really just a matter of when, not if, so compartmentalizing your personal information is a no-brainer thing to do.
Now you may wonder what would happen if one of these masked email services also suffered a data breach.
In the case of AnonAddy, just your forwarding and masked emails and maybe their descriptions would be leaked, rather than a bunch of personal information too.
You could restore your privacy by changing the receiving address to something else and generating new masked addresses over time.
This makes the leaked data almost useless to attackers trying to harvest and piece everything together.
To mitigate this scenario even further, forward emails to a low-value alias instead of your personal address.
You could also just self-host the application yourself, removing AnonAddy’s servers from your own attack surface.
Either way, it’s a much more secure setup than registering a shared address across all of your accounts.
At the end of the day, I almost view email addresses and usernames as just another kind of password, except you give out one of them to people for communication.
To log in to an account, you need to provide two passwords to log in, which it’s why it’s so important to pick something random and unique for both.
Keep everything locked away in your password manager and you’ll be operating with strong digital security from now on.
Really hope the concepts and methods I shared in this blog has been valuable for you, share it with your friends if you think it’d be valuable for them too.