It’s good practice these days to use a different password for every login you use. But what about the other factor you use to login? Nine times out of ten that’s your email address.

I strongly believe that we should all be keeping our email addresses as secure as our passwords. It’s a really important attack vector as it’s often the starting point for any targeted attack. Triggering important security processes (e.g. reset password, social engineering attacks) are trivial once you know someone’s email address.

Worse still, almost all websites and services store email addresses in plain text, and that means it’s inevitable that your email address will end up hacked. Put your email address into Troy Hunt’s “have I been pwned?” service to see. I have an email address that has been exposed in 14(!) different breaches.

Emails are designed for communication, but we also use them for authentication and targeted marketing. For those use cases it should be private.

If you want to keep your email address private (you should), generate a new, random email address whenever you give yours out (the same way you use a password manager). If you have your own domain you can use a catch all/wildcard address, eg. *@mydomain.com, if you use gmail you can use their plus support, e.g. [email protected]

If you use neither or want more security then sign up for our service, IdBloc which makes it ridiculously easy to generate new, secure email addresses.