Hacker News new | ask | show | jobs
by halfcat 251 days ago
> what does it mean for an email address* to be cryptographically strong?*

Something someone couldn’t guess, like:

<uuid>@domain.com

c4694056-63dd-476f-9823-2548aa3d754a@domain.com

> in case of hard to remember address, what do you do if asked to write it down with no access to your records?

It’s a tradeoff. You’d probably want to use the cryptographically secure addresses sparingly.

Another option would be to use your password manager to create a “memorable” password, which is usually multiple random words, like:

essay-curve-white-cable@domain.com

But again there’s only so many of these you’ll memorize, so use sparingly. Compare it to the cost of just changing the email. Maybe with a bank it’s more work and risk, so it’s worth the added effort, but if it’s the email you use to order pizza, just change it.
1 comments
commandersaki 251 days ago
Why are we doing this exactly?
link
halfcat 251 days ago
There’s an attack where you get signed up for mass marketing emails and your mailbox gets flooded with emails from mostly legitimate companies.

Say someone gets into an account you use to purchase stuff (Amazon, etc), but they don’t have access to your email account. They sign you up for this mail flood, then start buying stuff with your Amazon account, and legitimate notifications of purchases are lost in the noise with many thousands of emails from everything from Apple to Chuck’s Boat Rentals.

Using a unique and unguessable email lowers the chances of a more important account being affected (obviously at some point we’re splitting hairs).

link
commandersaki 251 days ago
I'm missing what purpose the high entropy alias does; from your description the attacker knows the email address and can still sign you up for mail flood?
link
catgirlinspace 251 days ago
I think the idea is your mail server is set to only accept emails to account names you’ve generated instead of being a catch all. So if one of the ones you generated is used for spam, you could just deactivate that one and move the service that email was associated with to a new generated email. and because there’s no catch all, an attacker can’t just sign up literallyanythingrandom@example.com with dozens or hundreds of different emails.
link