Is relying on one email address a security risk?
The high profile hacking of US tech journalist Mat Honan is reason for all of us to pause and reevaluate our own security measures. Strong passwords, two-factor authentication and hard-to-guess security questions are a few issues we should all to think about, but one of Honan's key security weaknesses was that he used the same few publicly available email addresses to access a wide range of services. I'm sure he's not the only person who relies one email address to rule them all.
Admittedly using one email address as a central inbox, such as a Google or Apple account, is a great way to manage your digital presence and address information overload. The problem is that if someone manages to hack into that primary email account, via technical trickery or a social engineering scam, they're now in the command centre of your digital life. From here they can see which other services you use and attempt to trigger password resets, with the reset details sent to the inbox they've hacked. Their job is even easier if you use the same email address as the login for various services, giving the hacker one more piece of the puzzle when trying to run social engineering scams.
One way to add an extra layer of protection is to create email aliases to use as your logins for various services. Many email services make it easy to create aliases such as email@example.com, firstname.lastname@example.org and email@example.com which forward to your primary firstname.lastname@example.org inbox. This is a great way to identify who is leaking your address to spammers, as you've got the flexibility to create another alias without changing your primary email address. But aliases are also great for creating unique login details, assuming you never use those email addresses for anything else. Hackers targeting your Apple, Amazon and Dropbox accounts won't get far if they're using email@example.com as your login, but of course you should use a less obvious naming convention than simply firstname.lastname@example.org. You don't want to make it easy for hackers to guess those unique email aliases.
Of course the flaw in this plan is that all those aliases still feed into your primary email@example.com inbox. So if a hacker breaks into firstname.lastname@example.org they might discover your email@example.com alias. If they can trick Apple into sending a password reset to firstname.lastname@example.org those reset details will still end up in the hacker's hands at email@example.com. Using aliases makes a hacker's job a little harder, but it's not a foolproof solution.
This is where two factor authentication and hard-to-guess security questions can be useful, making it harder for a hacker to execute a password reset even if they have access to your primary inbox. It's certainly worth checking to see which of your service providers offer two factor authentication and spending a little time understanding how it works. It's also worth looking over your security questions, which you may have set years ago, to see if they're secure. If a savvy Google search could turn up the answer, you need to change the question.
Rather than use email aliases, or perhaps as well as, you might also consider creating a totally separate email account which isn't associated with your primary account. Now just use this separate email account for receiving password resets. Email services generally give you the option to specify which email address your password resets are sent to. But other services generally insist on sending reset details to the email address you've used to create your account, which is probably your primary email address or one of its aliases.
If you're using a separate email address for password resets, it's important to ensure it's secure and that you don't leave a paper trail that will lead hackers to that account. Unfortunately some services reveal the details of your backup email address when you request a password reset, which can tip off hackers. Sending password resets to an alias of that separate email address could offer extra protection, so even if hackers discover the alias the don't know the login details for your separate email address.
It all gets a little complicated and there's no silver bullet when it comes to online security. But avoiding the temptation to use one email address (and one password) for everything is certainly a step in the right direction. How have you beefed up your online security?