clock menu more-arrow no yes

Filed under:

How to make your email address as hard to guess as your password

New, 86 comments

A Gmail trick that could help protect your privacy

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

What we're apparently calling "celebgate" has probably caused you to worry that your own data in the cloud isn't secure. It certainly has me worried, but I do have one small trick that helps reduce the stress a little. The attack vectors we're seeing most often involve figuring out some public piece of data about you and then parlaying that into some social engineering (or clever password recovery) to get to your data. Getting a hold of an email address is probably the easiest step in that chain, and if you can make it more difficult, you're theoretically safer.

So I try to use a different email address for every single service that I sign up for. That sounds like a nightmare (and it kind of is), but the clever bit is that all these emails only look different to the services I use, but they're actually all the same email address.

your.email+whatever@gmail.com

The trick is pretty simple, actually. If you use Gmail, you actually have an infinite number of addresses that all go into the same inbox. Instead of simply plugging in your email address, you plug in your email address with a random string attached to it after a +. Basically, if your email is "you@gmail.com," then "you+whatever@gmail.com" is technically the same email, as far as Gmail is concerned. As far as everybody else is concerned, though, it's a totally different and unique address.

So, for example, if your email address is "you@gmail.com," then you could register at Apple with "you+apple4729@gmail.com" and register at Amazon with "you+amazon2594@gmail.com." You won't have to manually sign up for dozens of different email addresses, one for each service, since all of them end up in your same "you@gmail.com" inbox. But each service will have its own unique identifying email address and if somebody guesses the email you use for Amazon, that won't mean they know what you used with Apple.

If somebody guesses the email you use for Amazon, that won't mean they know what you used with Apple

Unfortunately, the same trick doesn't work if you use Outlook or Yahoo, but you can go through a more convoluted process on each service to create email aliases. Here's how to do it with Outlook and how to do it on Yahoo.

Now, this is not a security panacea by any stretch. You should still be using a password manager to help you keep track of all your different passwords — and now, different email addresses. If you forget the specific email address you're using, you're even more out of luck than you are if you forget your password. If you don't even know the email address you registered with, you won't be able to even get to those security questions. I personally use 1Password, which I like because it securely stores my data in the cloud (yes, there is an irony there), but there are others like LastPass that seem generally trustworthy.

Of course, you should also still be using two-factor authentication whenever possible. And, yes, we need big companies like Apple, Google, Amazon, and all the rest to figure out better ways to secure our data and harden themselves against the kinds of social engineering and password-guessing attacks that we're now realizing are ridiculously prevalent. In the meantime, our How To on managing passwords from a couple years ago can help you make sure your end of the security bargain is being kept up.

Update: As some people have noted to me, there are some websites that won't let you use a + in your email address. It's a bummer, but the trick is still worth a shot in most cases.