Compartmentalizing Your Email for Security
After Mat Honan’s entire digital life was hacked, erased, and hijacked last year, two lessons stood out concerning what an individual can do to protect their data and bank accounts. Of course, there are lots of things you can (and ought to) do and lots of things that companies like Amazon and Apple need to do to improve the security of their customers, but these two things are easy to implement right now. One of them will even make your digital life easier to manage.
First, compartmentalize your email.
- Use one email address on one domain, say yahoo.com or earthlink.com, for your personal correspondence. Give this address out to all of your friends and family, people you actually want to hear from. Don’t give it to your bank or your local newspaper, and don’t use it to register for Twitter, Facebook, or any of the ten million online forums.
- Use a second email address on another domain for registering with discount programs, online forums, social networks, sweepstakes, and other low-value venues. These organizations are much more likely to sell your address to marketers and fill your mailbox with useless junk. You can check this account once a month or when you need to confirm a membership, but otherwise you can ignore it. This will help keep a lot of clutter out of your regular mailbox. CORRECTION (3/14/13): If you need to provide an email address in order to prove you are a real person, but will never rely on that email address for resetting passwords or any other “secure” information, use Mailinator. It will let you use an infinite number of made up, throwaway email address. Be careful! There is no security. Anyone who knows the email address will be able to read incoming mail. Also be aware that mail will only be kept in the mailbox for a short while, and each Mailinator mailbox will only hold about 10 items. HT: Steve Gibson!
- Finally, use a third address on yet another domain for registering with your bank, credit card, Amazon, etc.; any account that can access your financial data or spend your money. Make sure that you only access it over a secure, encrypted connection. If you use a webmail interface, the address should start with https:// and not http://. If you use a mail client like Outlook or Thunderbird, make sure it is using an encrypted connection (TLS or SSL). This ensures no one who might be snooping on your network traffic can get your password. This email address should not be connected to your other addresses in any way. If someone hacks your personal or junk email accounts, they should not be able to use that account to reset the password on this one.
Second, use nonsense answers for all of your security questions. If your bank account allows you to reset your password after answering a security question, then you had better not use an answer that is publicly available. Is your first employer listed on LinkedIn? Have you ever mentioned your favorite band or color on Facebook? Can anyone find your mother’s maiden name on Ancestry.com? Then when one of those security questions is “What is your mother’s maiden name?” don’t ever use your mother’s actual maiden name! Tell that website that your mother was Joyce Cauliflower or Billie Jean Alpha-Centauri. What was your first school? Why, Emperor Penguin Academy, of course! You’ll have to keep a record of what answers you used, but since you aren’t using the same password for every site (you aren’t are you!?), you should be maintaining a secure password database anyway. You can keep these security answers there too. I recommend Password Safe, LastPass, or KeePass used with a very secure passphrase (not a pass”word”) greater than 20 characters.