> Create a new email address for every service we sign up for?
Exactly that, yes! Various services like icloud or proton offer "hide-my-email" addresses, or you can use any email service and just leverage a dedicated email aliasing service like SimpleLogin (paid but cheaper).
This way your email addresses are always random, and since these are shared services, the fact that it's random doesn't identify you either. In proton's / simplelogin's case, you can even set the display name used and email first, so from the outside it's not going to appear as strange, or have any real limitations.
If you think about it, modern email services don't really allow for easily testing if an email address is valid or not, so pretty much the only way your email is ever found out is if you share it on. So never share it on. Always share an alias instead. With automated systems, you may even want to rotate it every so often, so that if there's a leak, you can identify not just who leaked, but also roughly when.
Fixed identifiers, like an email address, are terrible, as their lifetime is always significantly longer than whatever context they're being used in for.
Truly unique email addresses and passwords per service is the strongest approach, but there may be alternatives. For instance, Gmail allows address+tag@gmail.com, which will save you from the lowest hanging fruit (block the +tag when it’s compromised to prevent the laziest spam from reaching you). iCloud also allows automatically generating a new email address that forwards to your inbox for a new account when using iCloud Keychain (possibly when using other password managers too, but I haven’t tried).
Gmail's +tag (and the .) is nice in theory, but terrible in practice. It's super easy for malicious actors to just drop them and there are a few services out there that simply are not able to work with the +tag, potentially getting you locked you out of your own account. Not gmail's fault, but I would recommend against using it.
Exactly that, yes! Various services like icloud or proton offer "hide-my-email" addresses, or you can use any email service and just leverage a dedicated email aliasing service like SimpleLogin (paid but cheaper).
This way your email addresses are always random, and since these are shared services, the fact that it's random doesn't identify you either. In proton's / simplelogin's case, you can even set the display name used and email first, so from the outside it's not going to appear as strange, or have any real limitations.
If you think about it, modern email services don't really allow for easily testing if an email address is valid or not, so pretty much the only way your email is ever found out is if you share it on. So never share it on. Always share an alias instead. With automated systems, you may even want to rotate it every so often, so that if there's a leak, you can identify not just who leaked, but also roughly when.
Fixed identifiers, like an email address, are terrible, as their lifetime is always significantly longer than whatever context they're being used in for.