Remember that time when you registered your first email address? For many of you it was probably with America Online (AOL), Echomail, Yahoo, Hotmail, etc. How many of you are still using those accounts today? I venture to say probably a good number of you. I openly admit that I still use an account that I opened over 20 years ago, albeit, not as a primary address, but I still get an occasional email that may contain something interesting.
Even if you are not using the original email address you first registered, you are probably using an email address that you have had for many years. So why have you been using this address for such a long time? Let me guess…
- It is the greatest email address in the world (ok, maybe it is not). When you created it, you put a lot of thought into it so maybe it holds some sentimental value.
- It can easily identify you to your friends, family, and associates. How? Well because you probably used some combination of your first name, last name, the year you were born, maybe another significant date, etc. If you got fancy, you probably registered your own domain and gave all your family members email addresses that look like firstname.lastname@example.org.
So, the two points above while true are not the real reason you are using the same email address. The real reason you are using the same email address is because:
- Every site you created an account on, you have used the same email address. You have invested so much time and effort in developing an intimate digital relationship with each and every one of those sites.
Maybe you used your email address on 50, or over 100 different sites. The thought of using another email address was not even a thought. It never crossed your mind that you could use a different email address, and even if it did, you probably said to yourself “my primary one is easier to remember”. You also probably thought that because it is just an email address, it does not really matter. (You naturally aim to do and use things that are most familiar to you.)
Now what is the big deal with using the same email address on all of those sites? Some may say, “well nothing, I’ve always used the same email address”, or others may say “it’s just an email address, what should I be concerned about?”. If you have not figured out what the big deal is, go back and read the title of this article again to get a hint.
You have spent in some cases a short, and in others, a tremendous amount of time creating a new form of an identity for yourself that provides a great deal of convenience, but at a potentially huge cost (I will come back to that). This identity, your digital identity, does a lot of things for you today. It allows you to network both professionally and personally, it allows you to handle bank transactions and keep an eye on your balances, it allows you to keep track of your kid’s scholastic activities, it allows you to personally travel the world without ever leaving your seat. The one thing all of these things have in common is an email address. That email address was used so you could register an account to perform these actions. Without that email address, it would be nearly impossible to do a lot of these personal things.
This email address as you can see has become an important element of your life today. It identifies who you are, much like your social security number uniquely identifies who you are. (For those reading this that are located outside of the U.S, it would be whatever unique identifier defines who you are, wherever you are located.). Now that you understand that your email address is your new unique identifier, I want to tell you about the things that I think about when the thought of an email address crosses my mind. (They are quite concerning by the way.)
When you first heard that some or all of your information were part of a breach you probably thought to yourself, “oh there isn’t anything too sensitive up there, so the bad guys didn’t really get anything”, or some of you may have been a little more concerned and said “I need to go fix my account so someone doesn’t gain access to it”, and others may have attempted to reach out to the site’s support team, while the rest were probably just sitting around hoping that the site they were registered on would take care of the issue for them.
The disparity in concern amongst these individuals shows you that you or they do not really understand the severity of a website breach. In almost all breaches there is a loss of an email address. Remember what I said earlier, an email address is your unique identifier! For one breach, a loss of an email address may not be a big deal because it will be difficult to associate that email address to you. But with enough website breaches you can see how much easier it becomes to identify the owner of that email address. If you go back and look at all of the popular websites that have been breached so far you will probably find that you are registered on more than three of them.
Again, remember your email address is used everywhere on the web. You supply it when you subscribe to news alerts, you use it when you log into various websites, you need it to make purchases, and also to get friendly notifications about upcoming shipments and deals. Need I say more about how much your email address can identify who you are? I am sure at this point you can see how dangerous an email address is.
Ok, so I raised some awareness about some of the concerns about email addresses. You are starting to realize that protecting your email address is much more important than you thought, but how? How do you protect an email address that is potentially on 100 different sites? Well, it would be the same way you protect your social security number after giving it to every creditor, employer, doctor, etc. The simple answer is, you cannot protect the email address. It is already saved in the digital world, floating somewhere in the cloud you often hear about. (This cloud, so big and gray, that if it were to rain, it would drown even the thirstiest of rain forests! Okay, maybe not that bad, but it is a pretty big cloud). So, if you cannot protect it, what should you do your wondering. Dare I say, do not use email. That is a joke of course.
Before I get to some suggestions, I want to address another issue that I have with breaches. In fact, one of my suggestions will be included in this thought, but I think this is an important issue to address. When a site or vendor gets breached, the immediate solution is to reset your password, or if you do not have multi-factor (or two-factor) authentication enabled, to go turn it on. But, why are these sites not suggesting that you replace your old email address with a completely different email address. Have they accepted that no one will, because they would not do it themselves? Do you or they not realize that changing a password does not change your identity? If you use a different email address, is it possible to improve your security posture and conceal your identity? I personally think yes.
Why? Take for example some of the sites that allow you to check to see if your email address was part of a breach. If it allows you to check, it also most certainly allows the bad guys to do it too. These sites aggregate all of the breaches and their data points and then allow you to search to determine how many sites your information was compromised on, using your email address. What happens if you decided to use a new email address on a banking site you found was breached. No breach database or dark web post will have a record of that (until they get breached again.).
The point is, if you use email addresses wisely and know when you should be using a different one, you will be a little more secure. We all know that if your credit card number gets stolen, the bank issues you a new card with a new number on it. Email addresses should be treated the same.
So on to my suggestions, and they are in no particular order.
- If you use your email address on a very sensitive site and they were breached, consider using a different email address on that site.
- If you use the same email address use a unique password for every site.
- Email addresses should be as non-identifying as possible. It is too easy to figure out standard naming conventions.
- If you are a site operator, consider expiring email addresses too. We all know there are enough of those to go around.
- If you are using your own personal domain consider using email addresses with numbers in them, or develop some sort of short hand for your email addresses
- If you only want to use one email address, make sure you are doing everything to prevent a bad actor from gaining access to it. Turn on two-factor authentication, pay attention to the logged-in devices. Use a password that you do not use on any other sites. Look out for suspicious phishing email.
I have other thoughts on this and happy to discuss them further. Feel free to reach out.