1. Most people use the same or similar password, so once one account gets hacked, the attacker is probably able to use many other accounts on different services with the same email address/password combo.
2. It's easier to spot services that spam, or that leak your email address (I became aware of a leak of email addresses on Box... luckily it was only emails that got leaked, at least according to Box support).
3. It's easier to block spam, once a service misbehaves or gives away the email.
I wrote a little more about using it as a "passwordless password manager" at http://blog.gingerlime.com/2011/passwordless-password-manage...
update: (if blog post is too long...) this does not mean setting up hundreds of different email accounts. On most services like hotmail, google and yahoo you can simply append some unique string to your email address, e.g. email@example.com. Making this unpredictable is important however, so appending +facebook and +twitter is not helping much though...
I think something is really broken in today's web authentication scheme. I think there is really huge need for some independent and reliable service (Mozilla's Personas maybe).
For example, if my email is firstname.lastname@example.org, then I would use email@example.com when signing up for Hacker News.
Sometimes, I don't actually remember and just end up going to my inbox to find an email from the site so I can look up what I used.
Another time, this backfired on me when I purchased concert tickets using a +descriptor email and couldn't login. The purchase form and login form had different validation rules, so the purchase form accepted my +descriptor email and charged me for it. The login form rejected my +descriptor email and I was rushing to contact customer service to print my ticket in time.
If someone was directly targeting me, and had my email address from another site, they could probably figure out what I'd used elsewhere. But if it's just a script running through email addresses harvested from site A, then mine will almost always be irrelevant on site B.
The main reason I use it though is that it's a great way to figure out where spam is coming from. Last week for instance I got a "male enhancement" spam from an email address I've only ever given to scan.co.uk. That addres is now on my block list and I doubt I'll be buying through them again.
Sadly this is at best a complicated workaround, that will will work for people that are motivated enough to remember for each different service a separate email and password and additionally to this you have to remember as well the credentials to manage your email address and check the emails from different sites.
In my case it would mean having about 100 email addresses.
With the rise of mobile apps though, we introduce more usernames and password daily.
Believe there is an easier way to handle user authorisation and here is a post about it. https://gist.github.com/4052818
Of course it's better to have a real password manager, but for most people, who don't or can't be bothered setting this up, this would be a huge step forward since they anyway use the same email and the same password everywhere.
Never, ever, re-used passwords for anything you value.
Most people re-use not only the password, but also their email. This is the worst combination.
If you use an unpredictable, unique email address, and use a secure password. Even if it leaks on one site, the attacker has no easy way to predict what your email address is going to be on any other site without having access to the list of email addresses.
1) Buy domain and attach google apps to it.
2) Switch catch-all email setting in preferences.
3) When register for a service use email like firstname.lastname@example.org or email@example.com etc.
So if your goal is to maintain email-provider independence, then relying on provider-specific features like the '+' modifier works against that goal.
For me though, the main reason I don't use it is most sites that I want to use it on reject the '+' in the address as invalid. It happens enough that I don't bother trying anymore.
What problem are you solving?
The email addresses are not as sensitive as passwords. Sure. If someone gets hold of all of them AND your master password you're in trouble. But same goes to getting your password manager file and the password for it.
The difference is you don't need a password manager software. You can store this list anywhere which is reasonably safe.
As with everything security related, there is a trade-off. I'm not saying it's more secure, but it can be more convenient in certain circumstances and for certain people.
A password-manager is more secure (if the master password is and the manager software is safe). A unique email address + unique password with a password manager even more so. two-factor authentication even more... and so on...
It's just a question of options/priorities. This is still a valid option in my opinion which might work well for some people who don't want / can't use a password manager, but can handle a list of random email addresses...
then I have a catch-all on the domain, and lower the priority of emails that aren't to my normal address, but any important emails get their own forwarder to forward into my main inbox, so I will get the emails on my mobile devices.
quite effective actually.