Your email address is the center of your digital life. If you're like me, you have one main email address that you use for everything.
Social media accounts like Facebook, Twitter, and Pinterest will resolve back to my main Gmail account. Any services I pay for like Spotify and Netflix, I also enter my main Gmail account.
In some cases, I use the + trick (if you put in main.email+service@gmail.com the email still makes it to main.email@gmail.com, it'll just have the +service so you know if that address is being used in off-book ways) but the + trick is more about filing and management than security. People know that your main email is main.email@gmail.com.
The problem is that I would also use it for other things, like when I briefly signed up on Adobe.com to use their cloud services. Turns out me and 153 million of my closest internet friends had our emails, username, encrypted password, and password hints hacked in October 2013. The encryption was weak, so the passwords were very easily converted into plaintext (the breakdown of passwords is kind of fascinating… “iloveyou” is a very popular password!).
I'm fortunate in that I use different passwords for all accounts, so when I learned my Adobe account was breached, it was “okay.”
After that moment, I resolved to firewall my email system.
- One email address for high security, “classified” material – financial services and sensitive information.
- One email address for insecure, low security services.
Borrowing a Page from the USG
The United States Government has classified and unclassified systems and the basic premise is that the two shall never meet. Sensitive and important information lives in the classified world. Less important, less sensitive information lives in the unclassified world.
If the unclassified system is breached in some way, only the less important and less sensitive information is revealed. The classified system is safe.
Your banking and broker information is sensitive and important. Your Facebook page may seem important… but it's not. You might not be able to live without Pinterest or Playstation, but those aren't important. ๐
I'd argue that credit card information is considered NOT important because consumer liability protections are exceptionally strong. All of my credit cards are $0 liability. Plus, the access point is often the card itself, not the online account.
Rules of a Classified Email Address
Here are my rules:
- Use your classified email address for accounts where high security is a must – banks, brokers, etc.. (not credit cards!)
- Only use your classified email in your strict circumstances, never elsewhere.
- Access that account only when you'd access the underlying financial accounts – from your home and never from elsewhere like your friends' house, hotel business center, gym, etc.
- Do not forward your classified email to your unclassified email, the two shall never meet.
- Use a strong password. Preferably a password manager like 1Password.
You can take every idea to its logical extreme depending on your desire for security vs. convenience. For example, you can create a unique email address for each account or you can save an old computer strictly for accessing those accounts (with no installed programs that could be malware). That I leave up to you.
The goal is to keep that email address as hidden as possible so it can never be hacked unless the bank is hacked.
The best thing about this is that once you set it up, it gives you peace of mind. If your unclassified email address is disclosed in a breach, you know that your classified email address is safe. And you will never get tricked by a phishing email because none of your accounts are linked to your unclassified email address.
Plus, email addresses are free! The only cost is in management.
Can I Search For Hacks?
Most hacks/breaches hit systems where security isn't a priority.
I was using haveibeenpwned.com to see if my email address was compromised. The site is run by Troy Hunt, a trusted and well-regarded security professional, and it collects all the publicly available personal data out there and makes it searchable.
If you look at the top 10 breaches, none were of what you would consider high-security systems. Adobe, Ashley Madison, some gaming sites, VTech, and forums. If you look at all the breaches, you start seeing a few tangentially financial sites (mostly gambling and payment systems) but you don't see banks or brokers.
Once a hacker gets your email address, it's trivial to start sending out phishing emails to get greater account access. With 152 million email addresses in the hack of Adobe, a success rate of 0.001% is still 1,520 accounts!
Gmail is pretty good about filtering out phishing emails but a better solution is to keep a secret email address only for financial services and other high-security systems.
(and remember, sites like haveibeenpwned.com only search for breaches that were made publicly available, plenty aren't disclosed)
Two other things I do…
Use unique usernames. No reason why your World of Warcraft username should be the same as your Wells Fargo. ๐ When Adobe was hacked, it revealed usernames and encrypted (but weakly encrypted) passwords. If you have usernames and passwords, it's even easier to try the credentials at every bank.
Turn on 2FA! Turn on two factor authorization on all your financial accounts. Two-factor authorization is crucial and it's easy with smartphones. You must use it.
Do you use separate email addresses to keep things just a little bit more secure?
I have three or four email addresses I use for different purposes. One is mainly for purchases where I expect to get spam. Another is intended solely for spam!
Ha I have a spam email, it’s holly @ … jk ๐
LOL
This is a great wake up call for a lot of people (myself included)! As a greater part of our lives moves online, it becomes increasingly important that we are careful with our email addresses and passwords. I use a personal email for banking, bills, etc and then I have a separate business email for my blog and other business activities.
I have a separate business one but keeping a “super secret never tell anyone except the banks” email address makes sure I’m extra careful ๐
Thanks Jim, this is great advice and even though I work in the IT industry, very easy to forget about security 101.
Unfortunately I was also part of the adobe breach, and some other sites mentioned on havibeenpwnd. Not, not Ashley Madison ๐
Hahahaha, you have to assume that everything you do on the internet will eventually become public. It’s just how it works!
Thanks for this reminder, Jim. We need to set this up for our banking and investment accounts. We’ve upped our log-in security, but it’s all still linked to our main email accounts. Adding to the to do list!
It’s one of those simple things that you think would cost a lot of time, in setting it up and ongoing maintenance, but it actually doesn’t. Like getting transaction notifications for charges above $0, it’s not nearly as annoying as you’d think to have a 2nd email just for these.
I have a junk email address but never thought to have a high security one. Great idea, Jim! I actually had my Gmail account suspended once. Still haven’t figured out why, they can do it for a number of reasons including if they think it could be at risk from hacking. Gmail quickly lifted the suspension but they don’t have to.
You need to give alternate or backup email address for this super secret email for backup. Which one do you give here? ๐
Ha, good question… ๐
I use another email address that I don’t use for logins anywhere else.
And what is that email address? ๐
Nice try ๐
This is a great idea. I’ll have to start the processing of changing my bank emails over because security is such an issue nowadays.
I followed your previous advice and activated 2FA for my email and bank accounts. It has brought a lot of peace of mind.
I even got a text a few days after it looks like someone was trying to get into my investment account at Vanguard! I changed the password right away and let Vanguard know.
Again, the piece of mind is incredible. Thanks for the advice.
Ha! Just in the nick of time!
Interesting. I hadn’t thought of this, but now that it’s on my radar, I may have to change my email address for some of my accounts.
Wow – this is a really great idea Jim. I have always been a bit nervous having my bank account email the same as my normal email. It never really dawned on me to setup a high-security email address. I’m going to take action to create one today for my banking and investing stuff. Thanks for the tip!
Emails are free!
I have one main email address and one for work. I use different passwords depending on the level of security needed. Banks/brokers get a higher level password. I have mid-tier accounts that get another password. And then I have a very easy-to-remember password that I use when I sign up for coupons, promotional emails, and the like. I assumed that would be just as secure, but after reading this, I’m not so sure.