Secure e-mail aliases for desktop similar to a password manager?

New to 1Password. Noticed some minor issues, but looks like a password manager is the way to go. Just have to hope it's secure and the info stays secure.

One reason to use a password manager is you can use random usernames for every website without having to remember them or having to use the same username everywhere as that's what most people do when they have to remember usernames. The randomness for every site is added protection to help keep a fraudster from linking your various accounts together. As I've read of people getting hacked up because a fraudster linked a bunch of their online accounts together and went from company to company data-mining their credentials from employees for example. The guy who had his computer and phone wiped out story that's been going around for example.

One problem with that, is most places have you use an e-mail for log in vs. a random username you pick up. Though a lot of places who use a username, like forums, for log-in also broadcasts that username which could make using a username less secure than e-mail address in those examples.

Or they have it setup where you can use either a username or e-mail to log in. So most people have one or two e-mail addresses, and use that to log into all of their sites. So essentially half of your log-in credentials will be the same for a bunch of websites. Other problem is your e-mail address is probably floating around on lists, and so they can use that e-mail list to try and break into sites since they have half of the log-in credentials. Who knows how well those sites protect the attempts to log-in. As I believe some places use a hash and/or salt to help keep brute force attacks low? I just know that how a site manages the way you log in can determine how secure that site is compared to another.

Anyways, using an e-mail address for log-in is a huge flaw. One way people hack into accounts is doing the "forget password" and have a reset password sent. And if they gain access to your e-mail account. Then they could use that to get in a bunch of your online accounts by doing password reset.

I was wondering if anyone knows of a secure desktop type e-mail system that lets you setup alias e-mail accounts? Was thinking of something similar to 1Password except it manages your various e-mail aliases and also receives e-mails that aren't kept/stored on a server after downloaded. Or a secure e-mail client that is on the server that lets you set up aliases? I noticed Outlook lets you setup alias e-mail accounts, but it is real limited. Also Outlook would let you pick one or more alias e-mail accounts that are allowed to log into Outlook. The benefit here is you could pick just one e-mail alias that you have setup that is the only one allowed to log into the Outlook account. And you would never share or use that alias e-mail account thus keeping it off of lists or other places.

The idea I had was to create a new random e-mail alias to use for the e-mail log-in for each site. And this e-mail alias would only be used for that site to log-in, and never shared or used to send e-mail or mentioned anywhere. But the kicker is that e-mail address will still take in e-mails say notifications from the website you are using it with. So you can still get notifications of new messages or whatever. Thing is you could manage all of the aliases in one secure account.

One bad thing about say Paypal, is the e-mail address people use to normally log-in is the same e-mail address that is used to send payments to strangers. Hopefully this new Apple Pay that is coming out is setup a lot more secure.

Comments

  • Have you ever tried Googling "disposable email?" I just did, and there seem to be many options. I didn't read about their differences, but when I've read about such things, people seem to be interested in using them to manage spam by giving users the ability to know who is responsible for sharing the address. But it seems to me you could use one of them to use a fresh address for every site you register for, if you were so inclined.

    1Password users generally believe that a sufficiently strong password that is never used more than one place is all the protection needed.

  • I've not looked at "disposable email". Though I did search a little, and I don't think that is what I'm looking at. I saw a lot of "temporary" e-mail when searching that. I've got online accounts that are over a decade old that I use e-mail to log into. So that's not "temporary".

    1Password users generally believe that a sufficiently strong password that is never used more than one place is all the protection needed.

    Well they are no different than those who believe two word character passwords are all they need for example. Think of using a "username/e-mail" and "password" to get into an account as two separate credentials needed to get into the account.

    Okay so every website you log into, you need at least two passwords to get in. With a password manager, one of those passwords are long and random for every site. Whereas your other password (e-mail) is the same thing used on probably all of your accounts, and also is floating around on lists out there and shared with others in general. It's no secret, people have lists of "e-mails" and they take those e-mails and use them on many different websites trying to break into accounts. Why help them out? Whenever you get spam, then that means that shady person has one half of your credentials needed to get into your accounts and is probably letting everyone else know about it as well.

    We are here for security thus the password manager. I don't understand why someone would only be concerned about securing one half of their credentials and not the other half as well that are used to get into an account.

    It's more complicated than that though, is because people can get into your accounts without ever knowing all of your random passwords. If they were to manage to get into your main e-mail account that you use everywhere, then they can do "forget password" on your accounts and get the e-mail and change the password and break into your accounts. That's why I was thinking a desktop e-mail client would be better than one that has you log in via a server. I figure it would be safer if you had a desktop e-mail client that is setup where you can only check e-mail via the desktop and that you CAN'T log into the e-mail account via an online server like what Outlook, Yahoo, gmail, etc. does. But maybe something like that doesn't exist as I'm looking at a desktop e-mail client that gets e-mail and is also for security kind of like 1Password. But maybe there is something close enough that you log into via a server like Outlook. Only thing is you'd have to set it up so that your login ID e-mail is never used and never shared anywhere. That gives you better protection.

    If all of your accounts used the same password, but every username/e-mail on those accounts were all different and never shared. I don't think you would look at that as secure.

    Here's the hack story I was previously referencing. I really think everyone on this board should read this. But this guy got hacked and his computers wiped clean and I believe the hackers never knew his "passwords". So I don't think you need to stop your security at random long passwords that are never repeated.

    http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/

    Now I believe that guy had 1Password while he got all hacked up.

    Looks like agilebits has already talked about this hacking:

    https://blog.agilebits.com/2012/08/19/more-than-just-one-password-lessons-from-an-epic-hack/

  • Well, if you're looking for more discussion, I'm not the one to engage you. Perhaps one of the AgileBits security gurus will weigh in. I'm a forum volunteer who tries to help people make better use of 1Password.

  • @baker you seem to have a fundamental misunderstanding about how email clients work. Having a desktop email client in no way removes the necessity of having an email server running on the net somewhere. Moreover, having a desktop email client running profiles does not negate the need for the online mail server to understand those profiles too.

    The problem isn't using the same email address across multiple services. The problem is inconsistent security practices across businesses. Using different mail prefixes might help obscure your account linkages, but security through obscurity almost never survives long. That said, any site that requires you to reveal your email to other users is defective by design. Paypal is a valid example of this.

  • I use @Outlook/Hotmail and @Me/iCloud for different reasons. I use Outlook for all my online stuff and made aliases with it. I have about 8 or so aliases set up and all for different things. I use the main one for very important stuff and never for forums or anything else. Then an alias for forums, one for other apps, and other stuff. I even have ones that I use for signing up for just that I don't care if I have to delete them due to spam and other stuff.

    I use my @Me for family and friends only. This set up seems to work pretty good and I only need 2 email addresses too in theory.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi all!

    There are ways to create special purpose email addresses, and it can be a valuable thing to do, but before getting into that, I would like to make a different point.

    Don't use knowledge of an identifier for authentication

    Usernames are typically not designed to be secret. The are treated differently by servers and systems than passwords are. You might argue that "sure, usernames aren't secret the way that passwords are, but by doing this I still get some extra security". Indeed, a lot of very smart people take that view with using unique usernames.

    My disagreement with those very smart people is based on what we've seen happen to systems when non-secrets start getting used as secrets. My go-to examples for these are credit card numbers (not chip and PIN) and US Social Security numbers. (For those outside of the US, Social Security numbers are like National Insurance and Tax Payer ID numbers in many countries.)

    Those were never designed to be secret. It is only in the 1970s when banks in the US began to offer some telephone banking that knowledge of ones social security number as an authenticator. My first résumés in the early 1980s had my social security number on it. It very much was not a secret, but it was useful to figure out which "Jeffrey Goldberg" I was, particularly when reporting employment to the tax office. Social Security numbers were designs as identifiers not as authenticators.

    The same is true with Credit Card numbers. The numbers were designed and used to identify which account the parties were talking about. There was nothing secret about them. That changed with the advent of telephone shopping. With telephone shopping, we started using knowledge of the identifier for authentication.

    Skipping ahead 30 years, we are in a position where exposure of things not designed to be kept secret causes big problems. They do get exposed easily because properties of their original design (as identifiers) still hold. I blame this on the fact that various institutions attempted to co-opt identifiers for authentication.

    So even though unique email addresses may seem to make some sense, I react negatively to such schemes as it is trying to co-opt knowledge of an identifier for authentication.

    This extends to some biometrics

    Many biometric measures are better suited for identifiers. Let's take an extreme example: Face recognition. Your face is not secret. But if face recognition where to become widespread for authentication, then we would all have to be walk around with bags over our heads to prevent people from stealing our faces. But face recognition could be used to improve identification in systems.

    It is easier to surreptitiously capture someone's face than it is to capture their fingerprint or retinal scan, but again, but that doesn't change the fact that those are not in principle secret. This is why TouchID is a local-only authenticator for access to the real authenticators. It is useful for some very specific purposes, but it is not a general replacement for authentication.

    Own domain name

    Now that I've tried to explain why one shouldn't do this, I'll talk about how I did this back in the days when I did this. First of all, my purpose wasn't to make logins more secure, instead it was to track which sites and services were leaking my email address to spammers. So I was using this for pretty much anything that involved me signing up with an email address.

    First of all, I had my own domain name. When I was preparing to move from the UK to the US in 2000 and had to give up my Cranfield.ac.uk email address, I decided that this was going to be the last time I was going to change my email address. So I got my own domain name. What I did back then for my mail isn't what I would recommend today, so I will skip that. Today I pay for mail hosting. (I prefer to pay a business whose livelihood depends on providing good mail hosting than to use a "free" service with distinctly different interests.)

    I have mail go to different folders or forwarded differently depending on the local part (the part before the @-sign) of the email address. I can set up a "catch-all" delivery rule for mail that doesn't match any of the explicit local parts that I've specified. (I say "I can" instead of "I do", as I don't do this anymore.)

    I did this for spam tracking, but it required a lot of discipline in keeping a record of which email address I used where, and as I didn't have that discipline, this experiment in tracking wasn't really worth the effort.

    Now using your own domain name will cost money, as may good email hosting for the domain. I'm not advocating that people spend money on that for a scheme that I am actually advising against, but if you have other reasons to have your own domain and proper email hosting, then this becomes a good way to do that.

    Security by obscurity can sometimes be useful, but it shouldn't be built upon

    Concealing identifiers, like usernames or social security numbers, is a form of "security through obscurity". And as much as that is maligned, there are cases where it is useful. But when you start down that road, you should be fully aware of what you are doing. You should be quick to abandon that instead of trying to keep non-secrets secret.

  • First of all, my purpose wasn't to make logins more secure, instead it was to track which sites and services were leaking my email address to spammers.

    I had my own domain name.

    I did this for spam tracking, but it required a lot of discipline in keeping a record of which email address I used where, and as I didn't have that discipline, this experiment in tracking wasn't really worth the effort.

    For me it is pretty much zero effort. I just stick the site's domain name before the @.

  • bakerbaker
    edited February 2015

    you seem to have a fundamental misunderstanding about how email clients work. Having a desktop email client in no way removes the necessity of having an email server running on the net somewhere. Moreover, having a desktop email client running profiles does not negate the need for the online mail server to understand those profiles too.

    The problem isn't using the same email address across multiple services. The problem is inconsistent security practices across businesses. Using different mail prefixes might help obscure your account linkages, but security through obscurity almost never survives long. That said, any site that requires you to reveal your email to other users is defective by design. Paypal is a valid example of this.

    I don't believe I ever said using a desktop e-mail client removes the need for a "server". You would obviously need one so you could still get e-mail if your computer is off.

    What I said was I was looking for an e-mail client that lets you setup aliases that lets you pick the ID (e-mail address) that can be used to log-in so you can use a single e-mail address to log-in with that is never used anywhere. I'd much rather log-in with a unique whatever ID name, but none that I know of currently let you. So that puts a security flaw in getting into your e-mail server.

    Though would be nice if you could group different "aliases" together in separate banks, instead of like Outlook which dumps all of your incoming alias e-mails into a single bank. That would make it easier to keep incoming e-mails separate or banked together by category or something.

    Anyways, I mentioned I was looking at server options, and desktop compatible options.

    But what I mentioned about a desktop option that may be more secure is if that e-mail client didn't let you log into the server to check e-mail like Outlook, Yahoo, g-mail, etc. does. Yes, it would need a server, and I didn't say a desktop option wouldn't need a server. But I thought it could be possible to have a desktop option that doesn't let you log into the server online. That way it could be similar to 1Password in that you could only read the e-mail on the actual computer vs. someone trying to log into the server remotely and read e-mail online like with Yahoo or similar.

    Though maybe that last option isn't possible or yet available and you would need/be able to log into the server and check e-mail online. Just kicking ideas around on that one.

    I think a big part of the problem here is most or many websites have you use an e-mail address for log-in credentials. That's the big problem. I don't think the e-mail issue would be near as big of a concern if every website had you pick whatever log-in credential name you wanted that was never disclosed or shared anywhere. Though there are some websites that have you use a user made up log-in ID like message boards, but that flaw is your log-in ID is advertised. I still you would need a unique e-mail address for every website anyways to help protect against a work around of "forgot password send reset link to your public e-mail address that hopefully won't get hacked into".

    I think the reason most places have you use an e-mail for log-in ID is because it is easier to remember. This stuff was designed before the age of "password managers" who could remember it for you. Problem is that causes a security hole.

    It's fairly common knowledge that hackers pull e-mails off of public e-mail lists. And then they take that e-mail address and use it to try and get into the popular online accounts like twitter, facebook, etc. If the e-mail address the hacker has is also used on all of those websites. Then it makes it easier for the hacker. Whereas my idea would have you use a unique random e-mail log-in address for every website that is never disclosed or revealed. So should be a lot less worry about those e-mails floating around for hackers to use and try to get into accounts.

    I do agree that Paypal is more unique in that every time you send a payment. You are flashing your log-in ID e-mail address to those people. In which those people could be bad people, or their e-mails with those Paypal payments could get leaked to hackers or where ever. They could help fix that flaw if like mentioned above, they didn't have you use an e-mail address to log-in with.

  • AGKyleAGKyle AgileSupport

    Team Member
    edited February 2015

    Going to try to jump in where I can on this:

    What I said was I was looking for an e-mail client that lets you setup aliases that lets you pick the ID (e-mail address) that can be used to log-in so you can use a single e-mail address to log-in with that is never used anywhere. I'd much rather log-in with a unique whatever ID name, but none that I know of currently let you. So that puts a security flaw in getting into your e-mail server.

    If what you're saying is that you want:

    1) A Login that is separate from any email address you use
    2) Aliases to that login that you can send mail to

    Then Fastmail does this. I use them and have this type of setup:

    1) An email login which is something @fastmail.fm. This is a real email address but I don't use it for anything beyond logging into Fastmail.
    2) Then I have my domains setup and those all alias the something @fastmail.fm email.

    Effectively my login is an email, but it is one that I have never used for anything but logging into Fastmail. The only emails I use are aliases to that email.

    Though would be nice if you could group different "aliases" together in separate banks, instead of like Outlook which dumps all of your incoming alias e-mails into a single bank. That would make it easier to keep incoming e-mails separate or banked together by category or something.

    I believe again that you can use Fastmail for this. I think their use of + addressing and subdomain addressing, in combination with their fuzzy folder matching would do something like this:

    Alias: a @username.domain.tld (username+a @domain.tld)
    Alias: b @username.domain.tld (username+b @domain.tld)

    Would be fuzzy matched to folders for:

    username-a @domain.tld

    and

    username-b @domain.tld

    If those folders exist, more details here:

    https://www.fastmail.com/help/receive/addressing.html

    But what I mentioned about a desktop option that may be more secure is if that e-mail client didn't let you log into the server to check e-mail like Outlook, Yahoo, g-mail, etc. does. Yes, it would need a server, and I didn't say a desktop option wouldn't need a server. But I thought it could be possible to have a desktop option that doesn't let you log into the server online. That way it could be similar to 1Password in that you could only read the e-mail on the actual computer vs. someone trying to log into the server remotely and read e-mail online like with Yahoo or similar.

    This isn't possible without running your own server. Effectively email works like this, in a very simplified manner:

    A client, like Outlook or Mail.app or what have you will allow you to create a draft of an email. When you send that draft it connects to an SMTP server at your email host. This SMTP server then looks stuff up and tries to fire the email across the line to the receiving email server at the receiving domain. Then that server creates an inbox for that user if one exists and adds that email to the inbox. The email sits on this server until Outlook or Mail or whatever checks for mail. Then it shows up on the client software.

    Email is sent in real time, and if it has no server to connect to it will bounce back to the sender. Unless your email client were open 24/7 then you'd basically have no way anyone could contact you. You'd have to run the server locally and as soon as your computer were shut down or sleeping you wouldn't receive mail and those emails would bounce. The purpose of the server is to always be running and then client software like Outlook can connect all the time to the server to get new emails or send new mail.

    Unfortunately, there has to be some server involved to do email, and it's best if those are run on servers that are always running.

    Ultimately though your idea does kind of fall flat. Email is not meant to be a secret. This is what @jpgoldberg was saying in his response above. If you depend on those being secret then you're in for a nasty surprise. Having unique email addresses may add some amount of security but you should not expect those email addresses to remain private. What you can do is possibly try to not have email address reuse, which would mean that not only would you not use the same password anywhere but not the same email address anywhere then it would remove some amount of attack surface. But I'd have to leave it up to jpgoldberg to tell you whether that's worth investing any time in. That said, with Fastmail you could more or less do what you want with the no email address reuse. At least, it seems so based on my understanding of what you're trying to accomplish.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    @baker made a number of excellent points, one of which is

    I think the reason most places have you use an e-mail for log-in ID is because it is easier to remember. This stuff was designed before the age of "password managers" who could remember it for you. Problem is that causes a security hole.

    I won't restate what I said why I think it is a mistake to try to obscure identifiers back in comment #7, but I will repeat that when it comes to usernames, my view is far form universally held. And you are absolutely correct many sites and services use email addresses for the username for the reasons that you state.

    What that practice does is allow for "fingerprinting". It's not just people breaking into accounts who use that information, but it can be a general privacy issue. For example, perhaps Patty (one of my dogs) doesn't actually want people (or dogs) to know that the account she uses on Cat Fancier's is the same that she uses on Barkbook. Now it takes a great deal of effort and discipline to maintain real anonymity against serious attackers, but if you just want to make things harder for advertisers and the casually curious, you may wish to use unique usernames. (As an aside, please note that lots of forum systems – (including the one you are using now](https://discussions.agilebits.com/discussion/14402/using-gravatars-may-expose-your-email-address#latest) – allow for relatively easy de-anonymization.)

    So let me ask more specifically about what 1Password could do to help people who did want to use unique, and perhaps hard to guess, usernames. Would you like to see something akin to our Strong Password Generator that creates usernames? Should it have a configurable @example.com part in its recipes for generating usernames?

    I am not at all suggesting that this is something that will happen, but I wanted to get past the arguments about whether this is wise or not to what is actually requested.

  • What about sites that require that you confirm your registration by responding to a link in an email message? I guess the email address, no matter how it's constructed, must be real.

  • Security by obscurity can sometimes be useful, but it shouldn't be built upon

    This sounds like a topic for an essay or security guidance, so please expand further?

    For example, what is the disadvantage of obscuring the answers to secret questions?

    Just how hard would it be for 1Password to include the same random password generation capability for every field? What advantage over other password managers?

    And, by the way, isn't steganography a form of security by obscurity?

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Hi @Brighter454! Those are some tough questions.

    Indeed, there are a number of essays on security guidance and security through obscurity. I just looked at the Wikipedia article, and it actually does look like a usable resource. (Many other Wikipedia articles are excellent references, but don't do a good job of explaining the concepts to non-experts.)

    Security through obscurity means that things about the design of a system need to be kept secret for that aspect of security to work. So it usually flies in the face of Kerchoffs' Principle, which says that we should design our systems under the assumption that the opponent will know everything about the system except the key. One of the several reasons for this is that keys are small secrets and so easier to keep secret, while systems are larger and so much harder to keep secret.

    Let me give an example of where we (correctly) use security through obscurity in 1Password for iOS. If you enable PIN or TouchID unlock in 1Password for iOS, a Master Password equivalent is stored temporarily in the iOS keychain. There are lots of things that protect that secret, but one additional one is that we obfuscate it. It means that if, some how, an attacker actually gets at that data, she will also have to reverse engineer the obfuscation scheme that we use. Now this is just one additional layer in a system. But (a) it does mean that it is vulnerable to reverse engineering, and (b) that the obfuscation scheme is known to about a dozen people who have access to our source. It is a useful measure, but it isn't something to rely upon.

    So while obfuscation can provide a layer of security, it can't provide a very strong one. But the danger is that people may believe and act as if it is more secure than it really is.

    And, by the way, isn't steganography a form of security by obscurity?

    Hmm. I suppose it could be thought of that way, but the point of steganography is not the same as the point of encryption. Encryption is to keep the contents of a message confidential. Steganography is designed to keep the existence of a message confidential. Now of course it could be used as a layer in a system that is primarily about keeping the contents of the message confidential, but it can also be used in situations where the mere fact of communication needs to be kept secret.

    Cheers, -j

  • Thanks for the thoughtful response to my questions. :)

    In an era when "big data" correlation is used for purposes that range from nefarious to criminal to creepy to offensive, it seems to me there is the potential of less risk from a data breach when an identifier is a random value instead of a genuine first_name.last_name. Admittedly, the random identifier could also be stored (incompetently) in the same record or database as an account holder name, but it seems the obfuscation might offer protection by simply being more difficult to correlate.

This discussion has been closed.