Life is Better without Username Reuse (email aliases FTW!)

Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.

With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.

There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.

My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is jeremiahgrossman.com. So as an example, I create a new email alias that’s just for Facebook, like fb@jeremiahgrossman.com. Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.

It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.

Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.

Good luck!

This is a Security Bloggers Network syndicated blog post authored by Jeremiah Grossman. Read the original post at: Jeremiah Grossman