3DSC 2.16: Use Unique Usernames for Online Accounts

Giving out your email address can introduce some vulnerabilities.  While most of these are privacy concerns, there are some security concerns with this, as well.  Your email address is attached to your “real” accounts.  This allows advertisers, data-aggregators, and hackers to see linkage between your accounts.  Security-wise, your email address is your username for some services.  If an attacker tries to hack one of your accounts (your Amazon.com, bank, or Facebook account), he or she probably already knows your username.

Difficulty: Intermediate
Active Time: 5 minutes per account
What it Protects You From: Account takeover, account correlation, spam

Unique Usernames for Online Accounts

It is a good idea to avoid giving out your real email address.  How do you do this an still get mail?  Today’s task is to use an email masking service.  There are several such services out there, and two that I recommend: Blur and 33Mail.

Blur: Free Blur accounts offer masked emails that look like this:  592647eb@opayq.com.  My favorite feature about these is they leak no information about you.  To use a Blur masked email address, set up a free Blur account.  Click on the “Masked Email” icon.  In the popup enter what the email address is to be used for.  It doesn’t have to be too descriptive but it should be something will remember.  Premium Blur accounts offer a number of other features including masked phone numbers and credit cards.  I wrote about it here.

33Mail:  This email masking service works a little differently.  You create an account and are given a custom domain.  For instance, if I choose “securityguide” as my username, my custom URL will be @securityguide.33mail.com.  Once my account is created I can make up email addresses on-the-fly; as long as they are sent to ___@securityguide.33mail.com, they will be forwarded to my real email address.

How to use them:  Both of these email masking services will allow you to give out a disposable email address, and will forward mail to your real account.  Neither requires you to login to the forwarding account to get your mail.  If an email address starts to receive spam with either service you can login in and turn that address off.  I recommend using both, and here’s why.  I like Blur best because the addresses do not create linkage between accounts.  All of your 33Mail addresses, however, will share a common custom domain that can link all your accounts together.  It is also possible to spam 33Mail accounts.  If someone knows your custom domain they can send emails to an infinite array of addresses.  So what is the benefit of 33Mail?

Blur masked emails must be set up in advance.  Because they are random, they are also difficult to remember.  33Mail addresses can be made up instantly.  Did you stop into an open-house and feel compelled to give your email address?  No problem – openhouse@securityguide.33mail.com.  I admit a general preference for Blur addresses.  Blur’s security is much better (they support very long passwords and two-factor authentication), but 33Mail is undeniably handy.

3 thoughts on “3DSC 2.16: Use Unique Usernames for Online Accounts”

  1. Justin,

    Want to start off by saying I’m a big fan of your website and thank you very much for what you are doing.

    I had a question – do you recommend using “burner” e-mails for any and every service?

    For context, I have signed up for both Proton Mail Premium (w/ 10 addresses) and Blur at your advice, so I am just trying to decide what situations (if any) should I be using my ProtonMail accounts – or if I should just be using Blur’s burners for most things and forwarding to my PM account.

    1. I use a “real” Proton alias for anything that would be extremely costly to lose (cost being measured in money AND time). For example, my bank, Privacy.com account, and similar services will get a ProtonMail alias. Almost everything else (Amazon, Netflix, etc.) will get a Blur address. I think Proton aliases are a little more resilient than forwarding services, and the information contained in these emails is a bit more sensitive so I don’t want them bouncing through a bunch of forwarding services. Hope that helps!

      Justin

      1. That definitely helps – thanks for the clarification!

        Keep the good posts coming – you have the best actionable advice on the internet when it comes to personal security.

Leave a Reply

Your email address will not be published.