Hacker News new | ask | show | jobs
by keyle 3 days ago
At this stage just expect that every accounts will get leaked or rooted, it's a matter of when, not if...

Use varying email `plus addressing` (john+am2604@foo.com), varying passwords or passkey and 2FA on anything remotely important (use of your identity, not just financials).
5 comments
alexfoo 3 days ago
Plus addressing (or movable periods in gmail addresses, etc) is increasingly pointless for a whole host of reasons.

It may keep out the bottom x% of spammers/hackers but it doesn't do much for the increasingly sophisticated scams that are appearing.

If the bit before the + ends up in your inbox anyway then it'll just get stripped off and used. Spammers seeing this kind of thing across several breach dumps:

bob+trello@example.com, bob+spotify@example.com, bob+chase@example.com

and will leverage that to target spam at you for other sites, or just email bob@example.com as there's a good chance that'll get through.

Years ago I did a test with my own domain where I created who unique aliases with plus addresses, e.g. steve.smith+iawer@example.com, bob.jones+wpoqe@example.com

It didn't take long for emails to start arriving to steve.smith@example.com and bob.jones@example.com even though that email address had never been used anywhere ever before.

As others have said, you're better off just creating unique emails with `pwgen -s 16` such as wmR5pNhGI8yidU7N@example.com and storing that in your password manager alongside a similarly random password. (Yes, this is roughly what those unique email address services provide.)

Also many services/sites/providers simply assume the username is immutable. $DEITY forbid you might have to change your email address at some point in the future.

link
Cider9986 3 days ago
I recommend people use proper email aliasing, not plus addressing. Duckduckgo makes a free one that's can integrate into Bitwarden, if you have iCloud+ Apple's($0.99/month) hide my email is good. Addy.io and SimpleLogin are the best and allow PGP encryption to prevent another party having access to your emails, but they are paid for full features.

> Organizations like the IAB require that advertisers normalize email addresses so that they can be correlated and tracked, regardless of users' privacy wishes.

https://www.privacyguides.org/en/email-aliasing/#over-plus-a...

link
andrepd 3 days ago
The + trick is useless to protect you, obviously. Instead, use a a service like simplelogin to create unique emails for every place you sign in.
link
keyle 3 days ago
Correct, but you get to see who leaked you.
link
lionkor 3 days ago
Depends if the criminals are smart enough to strip the +.. part when sending you phishing.
link
AlienRobot 3 days ago
One time I clicked "I forgot my password" on a website and they e-mailed me my password.

Ever since I don't trust online services.

link
IshKebab 3 days ago
Plus addressing doesn't work well unfortunately - lots of poorly written websites will reject it.
link
keyle 3 days ago
+1 for not giving those websites your email in the first place!
link