VNKRJun 1
Martin Seeger

I use one dedicated email address per service.

This is a golden rule I started about 20 years ago. Today I have about 700 email addresses in use. The Password Manager keeps track, which Email address is used for which service.

This has several advantages:

  • An attacker has no idea which email address I use for a certain service: this makes attacking my accounts a lot more painful
  • I can very easily sort incoming email associated with those services
  • It becomes more difficult to track me

Lately more and more services do no longer allow me to create an account with an email address I designate.

Instead authentication is delegated to a third party (e.g. Discord, Paypal) and the email address associated with that service is used.

Such a service will never receive any money from me.

Jun 1 at 8:51amWeb
Show threadMartin SeegerJun 1

Current cause for my rant is https://forecast.solar/

It reads:

With a subscription you will have a Self-Service area to see some information about your account and find/reset your API key if needed. (Login is the PayPal subscription Id and your PayPal email address)

No, no, no: That is the ID for Paypal, not for your service.

๐Ÿ˜ญ

I would gladly give you my money, but I won't let you break my workflows.

Homepage [Forecast.Solar]

Restful API for solar production forecast data and weather forecast data based on your location, the declination and orientation of your solar panels.

Show threadMartin SeegerJun 1

Managed to find a way around it (to work without an account).

Used a Ko-Fi donation (as I use his service) to send a message with my complaint with the service owner.

Show threadmossmanJun 1

@masek and then you are assumed to just have a PayPal account in the first place...

I have never, for example, had a FaceBook account - and never will. It's tiring that so many people assume everyone has submitted to these crappy Big Tech things and is encouraging you to let them suck up all your data.

Show threadMartin SeegerJun 1
@mossman Never had a FB account, but getting around Paypal proved to be impossible for me ๐Ÿคทโ€โ™‚๏ธ .
Show threadmossmanJun 1

@masek similar for me - I was instantly suspicious of FB back in the day (which proved to be justified) - but I was peer-pressured by work colleagues into very reluctantly creating a WhatsApp account a few years ago... I did everything I could to keep that from having any of my personal details and people were shocked how serious I was about how much I hated having to do it. Of course since then no-one uses that WhatsApp group any more...

The other thing I hate is the way Google uses fingerprinting to track you across different accounts. I got a new work phone recently and transferred my stuff from the old phone to the new one. At some point I logged into Google (using Vivaldi) to see my personal account and *BINGO!* - I suddenly got notifications on my personal phone to complete setting up my work account on the new phone!!! ARRGGGHH!!

Show threadMartin SeegerJun 1
@mossman I ditched WhatsApp when FB bought them ๐Ÿ™‚. It took me 18 months and a GDPR complaint to get my account deleted.
Show threadhannah๐Ÿณ๏ธโ€โšง๏ธJun 1
@mossman @masek
I haven't been able to get away from WhatApp, all of my family uses it, I'm trying to convince them to move to signal (or RCS messaging now that iOS and Android encrypt with eachother) but its impossible.
Show thread๐ŸŒˆ RartsyJun 1
@masek I had a similar problem to what you're describing that nearly derailed travel plans at the point of departure. I created a unique email for a bus app in Mexico. Unfortunately when I went to pay for tickets I was forced to use PayPal. They don't take banks or cards not based in Mexico but PayPal is fine. So I moved money into PayPal & voila. After that moment the bus company associated my ticket with my PayPal email address, even though I had never shared it with them. I suppose PayPal shared it with them when making the payment. I don't know exactly; except that it's not how I like to do things and I was flustered. It's the largest transportation network in Mexico, therefore a necessity that I have to put up with. Can't win 'em all.
Show threadMartin SeegerJun 1
@rartsy Paypal shares the email address with anyone receiving a payment. Same with Apple Pay.
Show threadEd DaviesJun 1

@rartsy I've lost the phone number for my Paypal 2FA - something I discovered when I tried to log on to delete my account.

But, I do recall at one point creating another temporary email address associated with the account to allow an organisation to request a payment from me without them having to know my main Paypal address.

@masek

Show threadJollyOrcJun 1
@masek and then there are services that are completely unable to ever change the email address for an account. "cancel all subscriptions and create a new account" is the official answer from the HVV Switch app team for example...
Show threadjelteJun 1
@masek I do the same, my main motivation was to be able to block addresses (inevitably) leaked by the services. Address is usually based on the service in question, which reduces your first advantage, but does have a nice side bonus of occasionally leading to interesting discussions 'Wait, you work here?!' 'Er no, i just have an address per company i deal with' 'oooh, how does that work?'. Forcing a central account is definitely a no-go.
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Jun 1

@masek

Log in with GitHub is annoying here. I have one email address that I use for GitHub to communicate with me that isn't one I put in commit messages or use anywhere else.

There is no way to log into anything else with GitHub and share only one email address with them, so that email address is leaked to other services.

Show threadMartin SeegerJun 1
@david_chisnall That was included in my "I can very easily sort incoming email associated with those services" point ๐Ÿ˜‰
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Jun 1
@masek I do it for the reasons that you list, but the annoying thing with GitHub is that they let you associate an arbitrary number of email addresses with an account, but they don't let you restrict which ones another system sees when you log in with GitHub.
Show threadMakotoJun 1
@masek started that mainly to detect companies selling my data
Show threadMartin SeegerJun 1
@alchemicacht Collateral use ๐Ÿ™‚
Show threadAutJun 1
@masek I have long considered doing the same thing and having unique emails per service. One day I will, I just haven't crossed the threshold yet
Show threadGytis RepeฤkaJun 1
@masek Classic - Microslop does not allow to create developer account with associated e-mail address that has microsoft in it - bumped into that myself 
Gytis Repeฤka (@[email protected])

[1 media attachment] Nobody express their feelings better than Dr. Adrian Mallory (John Malkovich) from :netflix: Space Force :blobcatcheer: Fuck Microsoft, fuck! #microsoft #fuck #netflix #spaceforce

social.gyt.is
Show threadBrokarJun 1
@masek same here. Though i'm only at ~430 addresses.
I did it mainly to see where spam is coming from and which address has been leaked.
Show threadDanni StormJun 1
@masek What bothers me is Steam's refusal to use Addy.io addresses. It kept giving me a BS error about temporary emails. No, this email is not temporary. I ended up using mailbox.org's feature to hide behind their domain with a random email. That email is far more temporary as I lose access when I stop paying but at least the Steam client was happy. ๐Ÿ™„
Show threadMartin SeegerJun 1

@danni_storm I had once a problem that Steam wanted a re-authentication every few days.

Support told me: Use a well know email address (e.g. Gmail.com, Hotmail.com, etc.)

My reply: My email address is significantly older than your company ๐Ÿ˜„

Show threadEikeJun 1
@masek Do you create dedicated addresses or use tagging? If the latter, how do you deal with services that try to "validate" your eMail address and tell you that you can't have a plus sign in there? For those I typically end up just giving in as the process for creating real addresses is a bit of a nuisance in my setup...
Show threadhannah๐Ÿณ๏ธโ€โšง๏ธJun 1
@eikelang
there are services that creat aliases for yu and forward them to your main adress, works great for me thoigh it does mean that i have to put all of my trust in the aliasing services
Show threadMark NowiaszJun 1
@Eike I'm not Martin, but I do exactly the same.

- Usually I'm using a "+" address something like (nobody+<something>@example.com).
- Services that don't allow a "+". Well, in this case I'm giving them a custom address in my realme verdient.schlaege.org (like [email protected]) for their ignorance :-).

See also for example: #^http://verdient.deutsche-bahn.schlaege.org/ :-)
Schlรคge verdient?

Show threadShaun ChamberlinJun 1

@masek Ooh, interesting! Which service do you use to generate the email addresses, if you don't mind sharing?

I'm assuming they all feed through to one inbox (or a few), rather than you logging into each one separately!! ๐Ÿ˜„

Show threadMartin SeegerJun 1
@DarkOptimism I have my own domain, one single mailbox at https://proton.me/mail and a wildcard entry for *@domain.
Proton Mail: Get a free email account with privacy and encryption | Proton

Proton Mail is the worldโ€™s largest secure email service with over 100 million users. Available on Web, iOS, Android, and desktop. Protected by Swiss privacy law.

Proton
Show threadShaun ChamberlinJun 1

@masek
Nice, I also have my own domain with a ProtonMail mailbox and a wildcard entry for *@domain, and will now be stealing this brilliant application of it! ๐Ÿ˜

Fyi, I also sometimes use ProtonMail's alias feature when I don't want to give them my domain and will likely continue with that. But now leveraging my wildcard far more powerfully.

Thank you! โค๏ธ

Show threadFather HardstoneJun 1
@masek I actually thought I was completely nuts whose doing something like this turns out I am not the only one ๐Ÿคฏ but I am nowhere near the 700 mark, I am nearing a 100 though
Show threadBrad LarsenJun 1
@masek what's your workflow for creating a new single-service email? Does your email allow wildcards, or do you have to manually set up something each time?
Show threadMartin SeegerJun 1

@bradlarsen I have a wildcard. Every email at my domain ends in a single mailbox. There I have automation rules.

Once an email address gets too much traffic, it gets a rule.

But by default the workflow is completed by using it to create an account and saving it via Bitwarden/Vaultwarden.

Show threadBrad LarsenJun 1
@masek cool, thanks for the details! I have thought idly about doing similar for years, but the warnings my email provider gave about wildcards, spam, and possible denial-of-service on my email has given me pause.
Show threadJames CreelJun 1
@masek It is quite sensible to maintain separate email addresses per service, although a lot of overhead. Worth it in my opinion. Seems every website you go to now is like, "Log in with Google! Log in with Facebook!" No thanks! It would also be nice if there were such a way to reasonably manage privacy with phone numbers and credit card numbers. I think phone numbers especially are getting to be a key identifier for data brokers.
Show threadMartin SeegerJun 1
@jsc I described the overhead here and it is not high: https://infosec.exchange/@masek/116674914648762905
Show threadZillionJun 1
@masek @jsc I do pretty much the same.
Show threadThibaultmol ๐ŸŒˆJun 1
@masek I use @simplelogin to have specific aliases per service (so not using wildcards) cause I figured that at some point they would figure out it's a wildcard and abuse it anyway. (plus with simplelogin i can easily disable one of the aliases to block it essentially)
Show threadNumerfoltJun 1
@thibaultmol @masek @simplelogin Oh, that's looking really promising
Show threadThibaultmol ๐ŸŒˆJun 1

@Numerfolt @masek @simplelogin I forgot to mention that I also add a random string of characters to it.
So if I for example wanted to make an account on kirche.social, I would create an email like:
[email protected]

The downside is that unless you are also using proton mail (which I think has it built-in at this point) you have to do an awkward workaround where I'll receive the email coming from a simplelogin email address but the email address will be named after the actual addr

Show threadSkewray Research (ZFยฌC)Jun 1

@masek At 700, I bet you aren't cleaning out old ones. I've been doing the same for 20 years and only have 150...

ps...Just create multiple addresses at Google, &c?

Show threadMartin SeegerJun 1
@skewray Correct, the 700 are not all active. But the one where I actually deleted my account have been removed.
Show threadFather HardstoneJun 2
@skewray @masek Google requires phone numbers !!!
Show threadA Random Half-GiantJun 1
@masek
Been moving to that model over time, myself. Thank goodness for tools like SimpleLogin making it easier to manage the email address mappings.
Show threadSigmaJun 1
@masek Do you just put the service name in the address, or do you have another scheme for "generating" addresses?
Show threadMartin SeegerJun 1
@sigmasternchen Depends how much thought I put into it at that moment. In most cases it is sometimes an abbreviation of the service, if I am angry at having to create an account it may be a bit insulting.
Show threadSigmaJun 1
@masek ^^
Show threadEd DaviesJun 1
@sigmasternchen @masek Here's the scheme I use: https://edavies.me.uk/2016/08/unique-email/
Unique Email Addresses

Show threadTom DewarJun 1
@masek same. Interestingly, this was how I discovered Adobe got hacked.
Show threadNumerfoltJun 1
@masek Now I'm wondering: Where do you get all your aliasses from? Or have you manually created 700 email accounts?
Show threadEli the BeardedJun 1

@masek

That's how I have five or six paypal accounts now