There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see ‘was this password used also on other accounts’ and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it’s safe to assume this will work sometimes. This is the essence of a credential stuffing attack.
Those are full-blown attacks from hackers, so I’m sure they could profile you from bits of data across the net.
But if a layperson is using a different email per account, different username, a strong password, and 2fa, it’s going to be very hard to infiltrate their accounts, or even associate one account from another.
Not giving people the option to change their email makes a hacker’s job much easier!
Not giving people the option to change their email makes a hacker’s job much easier!
What?! How!?
Layperson uses same email, same username, same password and 2fa only if it is required for an account.
Anything more and they aren’t the layperson anymore. They are security conscious that they use difffrent passwords or password manager.
Anything more and they become paranoid (rightfuly or not, it isn’t for me to judge as there are jobs that require as much protection as possible)
When an email is compromised, changed and there isn’t any footprint due to deletion of any suspicious activity then laypersons whole internet presence is compromised.
Emails will keep incoming into the same inbox when there is suspicious activity, if email can’t be changed easily
Well, I’m not a security expert, yet I do thesr things.
Having a single email address for everything not only compromises your security, but it’s a spam nightmare.
And having one email makes you an easier target compared to having one different email per account. It’s just a numbers game.
A hacker or bad actor may gain access to one, but not all of your accounts.
Most people may not be as security savvy, but that’s likely because companies don’t really do much to encourage good security practice.
They lack 2fa, they use horrible “what’s your mother’s maiden name?” questions, and e-mail based account confirmation. I don’t blame people for not hardening their accounts when they aren’t even given good options to.
I literally am a security expert and the only thing I change between accounts is my password, which I put in a password manager.
With that said I do have other usernames/email addresses that I use if I’m doing something that I don’t want attached to my public persona. These can also be stored in the password manager so all is still good.
But individual email addresses per account is overkill and a management nightmare, with a very minimal security tradeoff. I’m not exactly expecting a state sponsored attack on my email after all.
Since I use a password manager, it’s quite easy to manage, just like different passwords for each account. No difference.
Yeah, but for the actual mail, do you forward the emails to one address? Or do you set up Outlook/Thunderbird to sync all of them? Manually checking all of them would be quite laborious and you might miss the occasional important email if you don’t check regularly.
There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see ‘was this password used also on other accounts’ and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it’s safe to assume this will work sometimes. This is the essence of a credential stuffing attack.
https://www.abc.net.au/news/2024-01-19/what-is-credential-stuffing-scams-how-to-prevent-and-protect/103367570
https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688
I’ve used abc here since I believe they write better for a lay person.
Edit: I should mean to say, they can also create a profile of you and your many email addresses as demonstrated.
Those are full-blown attacks from hackers, so I’m sure they could profile you from bits of data across the net.
But if a layperson is using a different email per account, different username, a strong password, and 2fa, it’s going to be very hard to infiltrate their accounts, or even associate one account from another.
Not giving people the option to change their email makes a hacker’s job much easier!
What?! How!?
Layperson uses same email, same username, same password and 2fa only if it is required for an account.
Anything more and they aren’t the layperson anymore. They are security conscious that they use difffrent passwords or password manager.
Anything more and they become paranoid (rightfuly or not, it isn’t for me to judge as there are jobs that require as much protection as possible)
When an email is compromised, changed and there isn’t any footprint due to deletion of any suspicious activity then laypersons whole internet presence is compromised.
Emails will keep incoming into the same inbox when there is suspicious activity, if email can’t be changed easily
Well, I’m not a security expert, yet I do thesr things.
Having a single email address for everything not only compromises your security, but it’s a spam nightmare.
And having one email makes you an easier target compared to having one different email per account. It’s just a numbers game.
A hacker or bad actor may gain access to one, but not all of your accounts.
Most people may not be as security savvy, but that’s likely because companies don’t really do much to encourage good security practice.
They lack 2fa, they use horrible “what’s your mother’s maiden name?” questions, and e-mail based account confirmation. I don’t blame people for not hardening their accounts when they aren’t even given good options to.
I literally am a security expert and the only thing I change between accounts is my password, which I put in a password manager.
With that said I do have other usernames/email addresses that I use if I’m doing something that I don’t want attached to my public persona. These can also be stored in the password manager so all is still good.
But individual email addresses per account is overkill and a management nightmare, with a very minimal security tradeoff. I’m not exactly expecting a state sponsored attack on my email after all.
Since I use a password manager, it’s quite easy to manage, just like different passwords for each account. No difference.
But having different email addresses also help with reducing spam, so it’s worth it just for that.
Yeah, but for the actual mail, do you forward the emails to one address? Or do you set up Outlook/Thunderbird to sync all of them? Manually checking all of them would be quite laborious and you might miss the occasional important email if you don’t check regularly.