Bottom Line Up Front: Managing your email addresses by choosing how many to have, where to have them, and how to use them will allow you to be safe and effective in the digital wild wild west of today’s internet.
As I have already discussed in 3 Simple Steps to Stronger Online Security, managing usernames and passwords is essential to protecting yourself online. However, just doing this will still leave open the largest vulnerability you have, your email security.
The email address is basically the center of your online universe because:
- Almost every service requires one to sign up.
- When you can’t remember your strong password, the reset link goes to your email address.
- When people want to send you something official digitally, they send it to your email address.
- Many services use your email address as the username for your account.
Implicit in all of this is that you are in control of your email account. The damage from losing control of your email address can be profound. Consider this scenario of escalating online attacks:
Annoying – Someone guesses or brute force attacks your Facebook account and figures out your password. They spam all of your friends with direct messages about their stupid porn site or purse knock-off site. You figure it out and regain control by resetting your password via your email address. One-time attack.
Damaging – Someone figures out ONLY your email account password. They don’t know your Facebook password. So they just meander over to Facebook, put in your email address, and they get the reset instructions. They then change your password and lock you out of your account, both the email address and Facebook account. You can try to prove to Facebook that this happened, but how? The way they verify is with your email address! You can maybe use your phone to verify your identity, but the hacker already deleted it from your account. They probably prevented you from interacting with thousands of people. How can you let people know your email account was hacked? You can’t email them. How about to let them know your Facebook account has been taken over? You can’t message them. You may have your phone, but you probably don’t have the phone numbers of everyone you were Facebook friends with anyway. For some people whose life revolves around Facebook, this would ruin their social lives (sad, very sad but it’s true).
Before you think the pain is over, imagine what else someone could do with just knowing your email address and password? Get out of the social media world. Online banking? Credit cards? Anywhere you have an account because your email address will probably be the gateway to entry. What could they do? Maybe they don’t take any money or try to do anything except reset all your passwords, get as much personal info as possible, and/or just make your life really really annoying (cancel credit cards). Maybe they just deny your email address to you forever. You’d have to reset all your accounts or start new ones because, again, the way you prove you are you is with your email address.
Scared yet? Hope so. Let’s fix it.
Tip #1: Use Many Email Addresses
I used to have one email address I used for everything (official banking, shopping, newsletters, trials of services I knew I’d never use). Then I began to realize slowly I was creating a very clear online trail with just my email. Not only was my inbox full of email I didn’t want to read, I was spreading my personal info everywhere since it was tied to email@example.com.
I now manage multiple email addresses. I have some at Gmail, some at Yahoo, some at Microsoft. I don’t want the good people at newsletter X or Twitter to associate firstname.lastname@example.org with the me that banks at X bank that uses email@example.com that has my actual physical address tied to it.
I believe you should have at least three different email addresses: Personal, Anonymous, Work. Personal is one you’d give to your sister to contact you or you’d use to sign up for Facebook or Amazon.com. Anonymous is one you’d use to sign up for something like the MISSION: Capable SITREP (shameless plug) or a Twitter handle that you don’t want to associate with you. Work is for work things. You should not be getting Amazon emails or Facebook notifications to your work address. Bad business (pun intended).
You can expand personal to multiple personals or multiple anonymous. I use multiple personal and anonymous ones each day.
You can sign up for as many online addresses as you can stand to manage, so have at it.
Tip #2: Create Impersonal Email Addresses
Most common bad idea I see every single day: You do what we all did in the 90s and make your email address something that gives away personal info about you. How about the firstname.lastname@example.org classic. Why do you want everyone to know your name just by your email address? Do you think you can ever use this anonymously in any capacity? Or email@example.com. Bet your name is Daniel and you were born in June 1975.
When I create email addresses to be used as a personal account for a friend or family member, I find something identifiable but only if you know them plus random numbers. Example: if my son’s name was Joshua Johnson, I may come up with firstname.lastname@example.org. This is loosely associated with his name but doesn’t inherently give away who he is. If I were making an anonymous one for him, it would be something like email@example.com (made up word and numbers). You could go counter-intel on them and try something like firstname.lastname@example.org. Seem like you are using bad security (name and birthday) but you are actually just using a name other than your own with a made-up birthday. You could go pure craziness like email@example.com but there is some value in being able to actually remember your email addresses at times.
Tip #3: Use a Modern Email Service That is Cloud-based
There is a reason most people use Gmail now. Good user interface and technology. Yahoo and Outlook.com are OK too. The best reason you use cloud-based email services vs something that comes with your internet service provider (ISP) is that they transcend the here and now. Back in the day (this is the 1990s in internet-speak) you got email addresses assigned to you when you signed up for internet service, so when you got AOL, you got email addresses with it. Same with Comcast or TimeWarner or RoadRunner. But when you change ISPs or move to somewhere else without this ISP, there goes your email address. Gmail, Yahoo, Outlook, etc. will all be the same no matter who your ISP is.
Quick FYI: Some people will judge you just based on your email address. If you send me something from firstname.lastname@example.org or email@example.com or firstname.lastname@example.org I think you are technologically un-savvy right off the bat. A future employer may actually take this into consideration when hiring.
Tip #4: Use Two-Factor Authentication
This is the most important thing you can do, more than having good strong passwords even. Basically, two-factor authentication means you need not only the standard username and password to log in but also a confirmation code that usually comes in the form of a text message. You go to Gmail.com, log in, then it sends you a 6-digit text message which you need before you can get into your account. A hacker would need not only your password but then also have access to your phone to get into your Gmail account. You can do this on Gmail, Yahoo, and Outlook.com. See the instructions below. You should be using two-factor for everything you can by the way, not just email. Facebook, Twitter, DropBox, Evernote, etc.
NOTE: If you are using two-factor texts, please have a protected phone (pattern, PIN, fingerprint) AND one which does not show the content of text messages on the lock screen.
A Plan of Action
For the sake of the example, I will assume you have one main email (probably Gmail) that has a very obvious name like email@example.com. You probably have a work account given to you by your employer. You should do the following things in this order to gain control:
1. Enable two-factor authentication on your primary account.
2. Create a new anonymous email address.
3. Begin using your anonymous email address for non-personal things.
4. Enable two-factor authentication on as many services as possible that you use that offer it.
Is It Worth The Effort?
There is a price to pay for increased security: more time and effort. It is much easier to use one email address and the same password everywhere. It is much easier to leave your phone unlocked so you don’t have to log in every time you turn it on. It is much easier to do a lot of things but we don’t do them because in the end it is a bad idea. Be informed of the risks and make educated decisions. If you are comfortable with one email address without two-factor authentication, that is your call entirely. Just make sure you are doing it consciously versus simply being unaware. For me, the peace of mind is worth the extra effort.
Finally, there is a lot more you can do if you are interested in true security and privacy online such as using a VPN. There are still ways to spoof your phone number and collect key strokes and passwords from you. You should never connect to unsecured Wifi hotspots. However, this is a very simple thing you can do to make a big improvement in your online security quickly and easily.
Question: Is all of this necessary, a best practice, or just unnecessary complications in your life? Post thoughts to comments.
References & Further Reading