It is time to get more serious about protecting your email

Did you get a strange email last week from someone that you didn’t know, including one of your old passwords in the subject line? I did, and I heard many others were part of this criminal ransomware activity. Clearly, they were sent out with some kind of automated mailing list that made use of a huge list of hacked passwords. (You can check if your email has been leaked on this list.) It really annoyed me, and I got a few calls from friends wanting to know how this criminal got ahold of their passwords. (BTW: you shouldn’t respond to this email, because then you become more of a target.)

But the question that I asked my friends was this: Do you still have logins that make use of that password? You probably do.

Email is inherently insecure. Sorry, it has been that way since its invention, and still is. All of us don’t give its security the attention it needs and deserves. So if you got one of these messages, or if you are worried about your exposure to a future one, I have a few suggestions.

First, you need to read this piece by David Koff on rethinking email and security. It brought to mind the many things that folks today have to do to protect themselves. I would urge you to review it carefully. Medium calculates it will take you 17 minutes, but my guess is that you need to budget more time. There is a lot to unpack in his post, so I won’t repeat it here.

Now Koff suggests a lot of tools that you can use to become more secure. I am going to just give you four of them, listed from most to least importance.

  1. Set up a password manager and start protecting your passwords. This is probably the biggest thing that you can do to protect yourself. It will make it easier to use stronger and unique passwords. I use LastPass.com, which is $2 per month. For many of my accounts, I don’t even know my passwords anymore because they are just some combination of random letters and symbols. If you don’t want to pay, there are many others that I reviewed at that link here that are free for personal accounts.
  2. Create disposable email accounts for all your mailing lists. Koff suggests using 33mail.com, but there are many other services including Mailinator.com, temp-mail.org, and throwawaymail.com. They all work similarly. The hard part is unsubscribing from mailing lists with your current address, and adding the new disposable addresses.
  3. Even with a password manager, you need to make use of some additional authentication mechanism for your most sensitive logins. Use this for as many accounts as you can.
  4. Finally, if you are still looking for something to do, at least try encrypted email. Protonmail.com is free for low-end accounts and very easy to use.

There is a lot more you can to make yourself more secure. Please take the time to do the above, before you get someone else trying to steal your money, your identity, or both.

4 thoughts on “It is time to get more serious about protecting your email

  1. My colleague Dave Crocker wrote some very cogent comments:

    Advice like this is, of course, well-intentioned and all looks reasonable. However, although the suggestions are all commonly offered by experts, they impose undue burdens on users, which therefore creates a barrier to use that is onerous for those who don’t have as much motivation and diligence and technical skill. Sadly, that is most people. In statistical terms for the global Internet population, it is probably rounds up to 100%.

    My issue is that security professionals expect regular users to have a clear and precise understanding of what ‘security’ and ‘privacy’ protections are, and are not, provided. But that’s not users’ fault. Our industry muddles the terms every day — both are umbrella terms having no specific technical meaning — along with relying on unrealistic usability models. The sad reality is that, as of now, we have no demonstrated ability to solve these issues at scale.

    Okay, so let me suggest some alternatives to your tools that both provide benefit and are better tuned to reality.

    1. Use a small, stable number of category-based, separate email addresses. The essence of this approach is to define a small enough set to be manageable by average users and meaningful enough to do a useful job of separating identifier use. Not (as you suggest) one per list. Something in the range of 3-5 different addresses. Of these three, one could be for person-to-person mail; think of it as your ‘primary’ address. One is for transactional mail with companies — an elaboration is to have two different addresses, to distinguish ‘important’ business relationships from lesser ones. And one address for all your mailing lists. Use more addresses, for more categories, only to the extent you find comfortable.

    2. A good password manager probably is the better choice over alternatives. While I have concerns (centralized point of failure, risk of all your passwords being leaked if the master password is breached and so forth), it probably makes sense for most users. Or you could formulate a small set of separate passwords that are sufficiently mnemonic so you can recognize and even remember them.

    But this still needs external storage: Rather than rely on a highly specialized and ‘private’ tool, use an existing tool, such as your address book, to store a compressed version that is not easily understood by a stranger. For example a password of goodpassword might be stored as gp or gopa. The premise is that your using it regularly will mean that the compressed string will be easy for you to use as a memory aid but won’t have clear meaning to any other reader.

    3. Don’t ever click a link sent via email. Ever. Even if you think it is safe. Formulate the URL on your own. Always. This means don’t cut and paste into a browser session, but retype it completely.

  2. It can be difficult and cumbersome to have multiple email accounts for the various purposes described here. I’d suggest that for those seeking a balance of convenience and security (it’s always a challenge to strike that balance, isn’t it?) to consider using a Gmail address with multiple extensions on it following the ”+” sign. For example, if your personal email address is JoeSmith@gmail.com then you could use JoeSmith+shopping@gmail.com for your purchases and shopping site registrations, JoeSmith+subscriptions@gmail.com for your newsletters, etc.

    All of these emails will arrive in the same place but simple rules make it easy to discern what is coming from where and simplifies unsubscribing or just deleting a whole category of emails as they arrive if you so choose.

    From a pure security standpoint I’m with David in regards to the password managers. I’d point out here that Mac and iOS users have one built into their devices. I, like David, don’t know any of my passwords are anymore. They get filled in automatically (just as they do with LastPass, Dashlane, 1Password or any of the others – they all work similarly) and the protection is the password on my iOS devices (a complex one or my fingerprint) or on my laptop (a much more complex one that I have to enter several times a day but is worth it for the security it offers).

    Also, neither David nor Dave Crocker mentioned two-factor authentication. Personally I think it’s just nuts to use any email system that doesn’t offer and even crazier – or at least just dumber – to not use it if it is offerred. The time it takes to use 2FA is a small price to pay when compared to the time, hassle and financial risk of getting hacked.

    Finally, encryption is a great idea but it’s just too cumbersome for most people. For that I wag a finger at the providers – Apple, Microsoft, Google, etc., – who should be making this a standard feature of every email application.

    There is important information in this article and readers should heed it. Emails contain the most personal information you’ll transmit (text messages are just as bad) so it makes sense to spend the extra time to protect them.

    Thanks for publishing this information. We need more of it – and regularly!

  3. Pingback: More on password managers | Web Informant

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.