Everything in security is ‘Strength in depth’. This means there is more than one necessary process to secure a ‘thing’. Email requires DKIM, SPF and MFA. DNS should have DoH, RPZ and load balancing to multiple servers.
RTFM
Ask Luminol about how to enable this security solution for the price of a flat white, per week.
This is a respective excerpt, with South Australian additions. Gina’s original post includes an introduction on the concept of Email forensics, and was originally authored at: https://bitwarden.com/blog/enhance-personal-security-with-strong-unique-passwords-and-email-aliases/#using-email-aliases-to-strengthen-personal-security
Strength in Depth
‘Strength in depth’ is more than a cliche, but like many cliches, its origins are rooted in truth which have been subsequently conflated and misappropriated for the purpose of commercial gain. In this post, I touch on the truth behind Email aliases, Email plus addressing and Multi-Factor Authentication (MFA) for my personal account(s).
For certain logins, I want to add layers of security. These are logins tied to my financial livelihood, which include banking accounts, retirement and investment accounts, credit card accounts, and my Bitwarden account. A breach into any of these accounts can cause severe economic ruin for me and my family so maximum security coverage is paramount when developing my security plan.
To log into an account, you typically need two pieces of information: an email address that acts as the username as well as the password. All of my logins already have a strong, unique password as the first layer of security. For logins tied to financial accounts, I have unique usernames for each account. To do so, I created a dedicated email account that is only used to log into these financial credentials. In addition, Luminol recommend a third (or more – hence, Multi-factor) method of authentication, such as an identity token (e.g. A proof of identity, like – but not – a drivers licence)
How to
To keep my dedicated email hidden from (most) public view, I do not use this email to sign up for any marketing offers or to sign up for any other services. Let’s assume the email dedicated to logging into these financial accounts was [email protected].
Where possible, I use a form of email aliasing to create unique usernames into each financial service. I also use ‘plus addressing’ (actually referred to as ‘subaddress extension’) in my email, in conformance with industry standard RFC5233 (hxxps://datatracker.ietf.org/doc/html/rfc5233). Plus addressing is where you can add + to your Email address and it will forward to your email. So, for example, when signing up, I would do the following:
- Go to QANTAS website.
- Sign up with email being [email protected].
- Generate a strong, unique password with the generator via Bitwarden.
- Create my new account.
Example
So, [email protected], [email protected], etc. are forwarded to my one, single dedicated email, [email protected] – yet the Email addresses remain unique. Best of all, it add the plus addressed emails into unique folders, allowing you to reach the theoretical “inbox zero” even faster! Here is a snippet from my own email, for:
Not all websites allow + in the email or username sign-up so you aren’t always able to create a unique username in addition to the unique password.
Examples in South Australia are: RAA, SACA, Ezyreg. This is purely due to the software engineers not implementing a the library for RFC5233 – so – if they ask you why, make sure you raise the question: “Why don’t you support plus addressing in your website?” When I did, my call centre operator was very receptive (2022) and raised it as a service ticket for the respective team.
If it assists, I also use the built-in authenticator where possible to set up two-step login on these accounts – unfortunately, most financial institutions only support SMS-based two-step login.
Good luck, stay secure.
