I think it's a good practice to always use unique, unpredictable email addresses when signing for online services.
1. Most people use the same or similar password, so once one account gets hacked, the attacker is probably able to use many other accounts on different services with the same email address/password combo.
2. It's easier to spot services that spam, or that leak your email address (I became aware of a leak of email addresses on Box... luckily it was only emails that got leaked, at least according to Box support).
3. It's easier to block spam, once a service misbehaves or gives away the email.
update: (if blog post is too long...) this does not mean setting up hundreds of different email accounts. On most services like hotmail, google and yahoo you can simply append some unique string to your email address, e.g. firstname.lastname@example.org. Making this unpredictable is important however, so appending +facebook and +twitter is not helping much though...
Are you suggesting to have a different email address for every online service we use? Today I manage about 100 different unique passwords for every online service. This is already very inconvenient. Adding as well as having different bogus email addresses would be at least 2 times more difficult!
I think something is really broken in today's web authentication scheme. I think there is really huge need for some independent and reliable service (Mozilla's Personas maybe).
While I don't necessarily agree with your parent's post, there's a relatively simple solution here. If you're using gmail, you can use the + operator to automatically tag emails. Here, it serves an alternative purpose.
For example, if my email is email@example.com, then I would use firstname.lastname@example.org when signing up for Hacker News.
Skipping over the fact that most email providers don't necessarily support this, and that not all websites/services will allow it (not saying they are right not to), this creates a whole new set of things to remember as even something as simple as +hn (which is surely simple enough that anyone could guess it) could be tougher on other sites, e.g. is Reddit +rd, +re, or...?
To carry this idea further, the +descriptor email trick has backfired on me before. Sometimes sites require an email login and it takes me several tries to even remember what my +descriptor was.
Sometimes, I don't actually remember and just end up going to my inbox to find an email from the site so I can look up what I used.
Another time, this backfired on me when I purchased concert tickets using a +descriptor email and couldn't login. The purchase form and login form had different validation rules, so the purchase form accepted my +descriptor email and charged me for it. The login form rejected my +descriptor email and I was rushing to contact customer service to print my ticket in time.
I do it, and have done it for a pretty long time. In the vast majority of cases, it's (almost) in the form of email@example.com - which is usually pretty easy to remember.
If someone was directly targeting me, and had my email address from another site, they could probably figure out what I'd used elsewhere. But if it's just a script running through email addresses harvested from site A, then mine will almost always be irrelevant on site B.
The main reason I use it though is that it's a great way to figure out where spam is coming from. Last week for instance I got a "male enhancement" spam from an email address I've only ever given to scan.co.uk. That addres is now on my block list and I doubt I'll be buying through them again.
Sadly this is at best a complicated workaround, that will will work for people that are motivated enough to remember for each different service a separate email and password and additionally to this you have to remember as well the credentials to manage your email address and check the emails from different sites.
In my case it would mean having about 100 email addresses.
You actually don't need separate emails for this. You can use (firstname.lastname@example.org, Gmail supports it and others too I'm sure). Or you can use your own domain (Google Apps makes this really trivial) and have the part before @ be the sitename (that's what OP suggests) and then have catch-all address. You might receive slightly more spam if you turn on catch-all, but I have a setup like this a it works.
http://www.keepassx.org/ is a free and open-source password manager. It makes using almost infinite numbers of accounts easy to use. If you use secure passwords they are like not possible to remember anyways.
I think it's possible to flip the order. Instead of managing 100 passwords for each account, manage 100 emails and ONE password for all accounts. Make sure your password is really strong, and you should be better-off than managing those 100 passwords, which require a secure password manager.
Of course it's better to have a real password manager, but for most people, who don't or can't be bothered setting this up, this would be a huge step forward since they anyway use the same email and the same password everywhere.
did you actually read what I was saying on the blog post or the comment??
Most people re-use not only the password, but also their email. This is the worst combination.
If you use an unpredictable, unique email address, and use a secure password. Even if it leaks on one site, the attacker has no easy way to predict what your email address is going to be on any other site without having access to the list of email addresses.
Yeah, you could do that as well. I just don't like the idea that someone holds my email address. After reading few stories where Google/Microsoft blocks access to email, I decided to move my email to custom domain. In case of any issues all I have to do is change MX names to new provider to start receiving my mails again.
Yes, but one of the great things about having GApps with your own domain name, is that you are not tied to Google as an email provider, and can easily switch. If you use something like the '+' modifier, then if you switch away you need to switch to someone that supports the same modifier.
So if your goal is to maintain email-provider independence, then relying on provider-specific features like the '+' modifier works against that goal.
For me though, the main reason I don't use it is most sites that I want to use it on reject the '+' in the address as invalid. It happens enough that I don't bother trying anymore.
The problem I was trying to solve is of many people who use the same password and email everywhere, and who won't use a password manager or feel it's too complicated to install or use etc.
The email addresses are not as sensitive as passwords. Sure. If someone gets hold of all of them AND your master password you're in trouble. But same goes to getting your password manager file and the password for it.
The difference is you don't need a password manager software. You can store this list anywhere which is reasonably safe.
It is only easier in the sense of not having to install or use a password manager, and that the email addresses themselves are not as sensitive as the password.
As with everything security related, there is a trade-off. I'm not saying it's more secure, but it can be more convenient in certain circumstances and for certain people.
A password-manager is more secure (if the master password is and the manager software is safe). A unique email address + unique password with a password manager even more so. two-factor authentication even more... and so on...
It's just a question of options/priorities. This is still a valid option in my opinion which might work well for some people who don't want / can't use a password manager, but can handle a list of random email addresses...
what I do is intersperse the site name with my username at my domain e.g. for skype:
then I have a catch-all on the domain, and lower the priority of emails that aren't to my normal address, but any important emails get their own forwarder to forward into my main inbox, so I will get the emails on my mobile devices.