9

I have a domain email address which in addition to being able to create multiple mail accounts allows the creation of aliases for each inbox.

Is there any benefit to security in using a different email alias for every website/service I have an account/will make an account for in the future? Specifically from the angle of data breaches?

My thought is that if a breach happens and accounts are compromised, in addition to changing the password I can simply nuke the alias and create a new one and switch the account email to that.

Wuubb
  • 91
  • 2

3 Answers3

7

Indeed I do this quite often.

GMail has a feature where you can do this using the '+' sign. According to Google:

Append a plus ("+") sign and any combination of words or numbers after your email address. For example, if your name was hikingfan@gmail.com, you could send mail to hikingfan+friends@gmail.com or hikingfan+mailinglists@gmail.com.

The benefits are around 2-fold (at least to me):

  1. It makes credential stuffing much harder, as emails for one account won't match another. Although unique passwords is the best solution for this, different emails is an additional layer of security.
  2. If I get spam emails that originated from a breach -- at least I know where that email came from, and know which breaches affected me.

And because Google makes this so easy (I do not have to create any aliases, it automatically happens), I do this for every accout that requests my email.

keithRozario
  • 3,571
  • 2
  • 12
  • 24
  • 2
    My only problem with this as a security consideration is that it's public knowledge and it would be trivial to strip the alias if any spammer actually wanted to. It will work for those lazy ones though. – zero298 Jan 31 '20 at 07:57
  • Would [email forwarding with Google Domains](https://support.google.com/domains/answer/3251241) be a better solution? It allows for up to 100 aliases, and it would be actual addresses instead of plus addressing. – Wuubb Jan 31 '20 at 13:45
1

I don't think you should worry about this for at least the reasons you mention. Emails are typically not treated as private data when used to sign up for a website with.

If your policy was to destroy the email every time it was exposed publicly then you would have to delete it immediately after signing up for websites that use it as your username.

MikeSchem
  • 2,266
  • 1
  • 13
  • 33
  • I'm not concerned about it being public so much as being associated with an account. If I change the email and the password then both pieces of information are invalid and someone can't try and hack the email or spoof it or something to try and reset the password. Unless that's not possible anyways. – Wuubb Jan 31 '20 at 13:14
  • I think you should look into email spoofing. You don't even need the email to be valid to spoof it. Just like mailing a physical letter nothing stops you from writing an address in the return address field that does not exist. – MikeSchem Jan 31 '20 at 17:00
  • As far as getting into the mail account and resetting the password, you need to assume that a hack that exposes the email doesn't make it any easier as it's already public. The only way to secure against that is to use complex unique passwords. – MikeSchem Jan 31 '20 at 17:02
1

Logins

Using aliases for certain apps/services will segregate that account from the primary email address and/or account. If the email is somehow revealed there is little risk. The account has no login capabilities (as it is only an email alias) and thus any brute force login attempts will be a waste of time for the attacker.

Conversely it works well as a honeypot since any login attempts to your primary email provider using an email alias indicates nefarious activity.

Example: suppose my primary username and email is primary@domain.com. An alias gets created for an online service OnlineService@domain.com. OnlineService cannot login to primary.

Spam/Phishing

Having unique aliases can also help to identify spam/phishing. Suppose an alias is created for your eBay account and an email regarding insurance payment is recieved. If the primary account was used for all external services perhaps the email would have been read. However something regarding insurance delivered to your eBay alias allows for it to be quickly deleted.

Data Breach with Unique Credentials

Any breach would only impact the service where the breach occurred. For example, if GMail is being used and a data breach hits eBay, then only the logon credentials used for eBay would need to be changed. Really only the password would need to be changed.

Data Breach with Shared Credentials

If logon credentials are being shared across services then a data breach in one app/service would impact any app/service using those same credentials. This is why credential sharing is bad.

Documentation

The downside of the approach you're inquiring about is keeping track of all the aliases and associated passwords. Consider using a password manager or an offline method like a notebook to manage this.

phbits
  • 1,002
  • 2
  • 5
  • 12