linkage.social

linkage.social is a forum that shows you the most interesting content you haven’t yet seen.
To get started, log in!

[cybersecurity] Your email is an authentication secret, whether you like it or not

site: x.com (or try wayback / archive.today)posted by: admin, 1 month ago ()views: 2 (plus 3 link visits)

To log in somewhere, you need to know your account email. Most online authentication systems are built assuming your account email is public (which it is; email lists are everywhere now). But you can give yourself an extra layer of security for free by using a unique and secret email. The post from levelsio linked above suggests using a fully random email address. Now, you don't have to go that far to get most of the benefits. Just use a different email. The fastest way to do this is to use a plus sign + to make an alias, which most email providers support. For instance, suppose your personal email is alice@gmail.com. If you want to protect your bank account, you can sign up for your bank account using, say, alice+lovespayday@gmail.com, which automatically also goes to your inbox. Doing so instantly protects you from things like: - verification code spam hitting alice@gmail.com (because no bank account under that email exists) - your bank account getting locked because of too many login requests (even trying to log in is impossible, because nobody knows about alice+lovespayday@gmail.com besides you and the bank) - phishing and individual compromise attacks, to some extent The first two apply to everybody. The latter is particularly useful if people find you a notable target, like if you have a lot of social media followers. In those cases, it's a headache if other people know your personal email because they will try to use it to log in to all of your platforms. This headache disappears if you use a different email for each platform. ---- Using a unique email for linkage.social is admittedly probably overkill for most people. But it's interesting that this concept doesn't really get talked about in cybersecurity discourse. It's especially relevant since more websites are shifting to passwordless systems and don't do it right. Microsoft uses six-digit one-time login codes, which are laughably brute forceable and attackers try to brute force them all the time [1]. (Don't worry, linkage.social login emails use 256-bit tokens.) But still, it's free to protect yourself more. [1] https://www.reddit.com/r/computers/comments/16zl2pw/i_received_a_singleuse_code_from_microsoft_but_i/

score: ~50%
page 1