3DSC 2.16: Use Unique Usernames for Online Accounts

Giving out your email address can introduce some vulnerabilities.  While most of these are privacy concerns, there are some security concerns with this, as well.  Your email address is attached to your “real” accounts.  This allows advertisers, data-aggregators, and hackers to see linkage between your accounts.  Security-wise, your email address is your username for some services.  If an attacker tries to hack one of your accounts (your Amazon.com, bank, or Facebook account), he or she probably already knows your username.

Difficulty: Intermediate
Active Time: 5 minutes per account
What it Protects You From: Account takeover, account correlation, spam

Unique Usernames for Online Accounts

It is a good idea to avoid giving out your real email address.  How do you do this an still get mail?  Today’s task is to use an email masking service.  There are several such services out there, and two that I recommend: Blur and 33Mail.

Blur: Free Blur accounts offer masked emails that look like this:  592647eb@opayq.com.  My favorite feature about these is they leak no information about you.  To use a Blur masked email address, set up a free Blur account.  Click on the “Masked Email” icon.  In the popup enter what the email address is to be used for.  It doesn’t have to be too descriptive but it should be something will remember.  Premium Blur accounts offer a number of other features including masked phone numbers and credit cards.  I wrote about it here.

33Mail:  This email masking service works a little differently.  You create an account and are given a custom domain.  For instance, if I choose “securityguide” as my username, my custom URL will be @securityguide.33mail.com.  Once my account is created I can make up email addresses on-the-fly; as long as they are sent to ___@securityguide.33mail.com, they will be forwarded to my real email address.

How to use them:  Both of these email masking services will allow you to give out a disposable email address, and will forward mail to your real account.  Neither requires you to login to the forwarding account to get your mail.  If an email address starts to receive spam with either service you can login in and turn that address off.  I recommend using both, and here’s why.  I like Blur best because the addresses do not create linkage between accounts.  All of your 33Mail addresses, however, will share a common custom domain that can link all your accounts together.  It is also possible to spam 33Mail accounts.  If someone knows your custom domain they can send emails to an infinite array of addresses.  So what is the benefit of 33Mail?

Blur masked emails must be set up in advance.  Because they are random, they are also difficult to remember.  33Mail addresses can be made up instantly.  Did you stop into an open-house and feel compelled to give your email address?  No problem – openhouse@securityguide.33mail.com.  I admit a general preference for Blur addresses.  Blur’s security is much better (they support very long passwords and two-factor authentication), but 33Mail is undeniably handy.

Leave a Reply