Using Email Alias Addresses to Enhance Privacy & Security

Depending on the webpage you’re looking at you may see sub-email or alias. They mean the same thing and are used for the same reasons. The following will use Gmail as an example for creating and using aliases. Please read your email provider’s documentation or contact their support if you need more information on how to setup your email aliases.

You can read Gizmodo’s article about using aliases for filtering email into different categories and folders within your inbox. They discuss newsletters, friends, controlling your house, and to-do lists. However, we are going to take this a step further and in addition to sorting emails it will enhance your privacy and security between websites.

Setting Up Your Aliases

To setup Gmail’s aliases is super simple, all you have to do when signing up for a service or newsletter is add a plus sign and any word or characters before the @ sign and messages will still reach you. For example, if your email address is john.smith@gmail.com and you go to Amazon and sign-up for an account and use john.smith+amazon@gmail.com or john.smith+Aj45zA@gmail.com, it makes no difference whatsoever as the messages will still reach you. Later I will talk about how the second address with random characters are better for security.

Aliases Enhance Privacy

You may have read in the news recently, that Facebook Tracks You, Even When You’re Not on Facebook. That article talks about more sophisticated methods that email alias will not protect you against. However, if you think about the websites you visit and have to sign into, I am sure you use the same email address across all of them. For example, if you sign into Amazon with john.smith@gmail.com, Pandora Internet Radio with john.smith@gmail.com, and Facebook with john.smith@gmail.com. They all have the same email address. Now I am not saying any of these companies do this but I am just going to illustrate a point here. Let’s say all these companies sell your personal data to an ad company. The ad company searches through each of the databases they received from those other companies. They correlate the databases to the same email addresses. The ad company now knows what you bought on Amazon, what you listen to on Pandora, and what you liked or shared on Facebook all tied to the same email address.

By adding a plus sign and some random characters, that ad company will no longer correlate the three databases to one address. They will stay separate and help protect some of your privacy, as they will still have all the same information on you, it just will not be correlated.

Aliases Enhance Security

Using the same examples as before, if you use the same email address for all the sites you have to log into, everyone now has one part of your logon. If you’ve sent me an email and I now know your email is john.smith@gmail.com, I can go to Amazon and type in your email address at Amazon and try to brute force your password. Now that will likely not be efficient and hopefully Amazon will lock your account to protect you. It will still be a pain to get the account unlocked or reset your password. If you not using long and unguessable passwords, it will be that much easier for an adversary to get into your accounts. Strong passwords, password reuse, and two-factor authentication are a topic for another day. Now if you would have set your sign-in email address as john.smith+amazon@gmail.com, the adversary would need to know about the alias to try and break into the account. Going to Amazon and typing the regular email address would come back as “no such account” or “account does not exist.” Earlier, I also talked about how using random characters is better than using the website. If you use +amazon for Amazon, +pandora for Pandora, and +facebook, we can now start to see a pattern and can guess what you’ll use for your bank. To avoid that issue, you should use random characters at the end that mean nothing for the website or you.

Another bonus that aliases will help with your security is data leaks. If you check have i been pwnd? regularly, and you notice one of your email aliases on there, you know which website it came from. This will allow you to go change your password if you don’t change on a regular basis. If you start getting spam, you can look to see what email address they sent it to, and derive what website had a compromise. If a hacker has your credentials, their tools are automated so by using different aliases with different sites, stops them in their tracks for your accounts.

Conclusion

You can see the benefits that aliases provide, but as you create new accounts or change previous accounts with new aliases, it will become difficult to keep track of them all. I suggest using a password manager that tracks your username and password. Most password managers provide an area for notes so even if the website doesn’t use your email address as the username, you can still keep track of what email alias belongs to which website. Most websites let you update your contact information, I suggest you start updating your email address with aliases today! To maximize your protections, you can also follow privacy guides on setting up your browser and applications from Privacy Tools.