Do you use email aliases for important / sensitive / financial / legal accounts?
I heard Jonah Aragon, Henry Techlore, Josh AllThingsSecured - trust aliases only for accounts that’re fine to lose.
I wanted to use Proton mail + its aliases service for all accounts. So this true email is never used as a login anywhere. But now I’m confused if it’s wise.
I realize 2 risks
Lock up risk - service seizes to exist. If you trust Proton as email provider - no additional risk to use its aliases?
Eavesdropping risk - man in the middle. Mitigated by open-source?
It’s not stored in plain-text. It’s scanned for spam then encrypted. For simple login it’s scanned for spam then deleted after it’s delivered. They could keep it in plain text when legally required to but you shouldn’t be using proton if LE is a concern anyways.
If the alias provider and your email provider are the same then there’s no risk really. But yeah I think for important things you can just give them your real email address.
In addition to other thoughts in this thread, you may want to note which accounts have which alias. I do that with an extra field in Keepass and Bitwarden.
Also helps to track down if an alias lands in a illicit data pull, you know which accounts need to get a new email address so you can kill that leaked alias.
I use aliases for everything possible. Except where I’ll be talking to real people I’ve met face to face.
Almost all the businesses where a computer is sending me confirmations receipts get an alias.
I thought aliases were paranoid then a utility was compromised and proton notified me that my name/email/and other identifying stuff was leaked. So now everything gets an alias.
I’m also using alias for everything. My break glass “main” email address is disroot since they don’t delete account for inactivity. Then i reg on addy.io using the disroot address, used the addy alias as my domain registrar login and reg a .co.uk domain for max 10 years. Since .co.uk is dirt cheap it costed me just $50. My domain registrar gave free mail hosting too so assuming they didn’t go bankrupt in 10 years, i’ve got a domain plus email host for the next 10 years for dirt cheap $50. Activated catchall on the email and used 1 unique alias per 1 service not used anywhere else. Since they’re unique, if 1 leak or getting spam I’ll know the culprit.