Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Do disposable email addresses really add any security?

Question:

I use Yahoo Mail Plus. I've seen it mentioned in a couple of the articles in
your archives, which I've searched. One of the features of Mail Plus, as you
know, is the use of disposable addresses. I have about 25 to 30 right now for
various registrations and accounts including your newsletter. But after the
Honin debacle, I have to question how secure doing this is as opposed to
opening new email accounts from different providers for each and every
registration. I ask because it strikes me that all of those disposable
addresses I have are ultimately tied to the same password in my Yahoo account.
As near as I can tell, there's no way to set up a unique password for the
disposables. I use a very strong password on my Yahoo account but I still have
to wonder just how much more secure it is using the disposables? So is there
really that much security benefit in using the disposables?

In this excerpt from
Answercast #70
, I look at why disposable email addresses might be used.

Become a Patron of Ask Leo! and go ad-free!

Disposable email addresses

My take is, no. My take is - ultimately, that's not really disposable email
addresses are about.

What they're really about is managing spam: managing people that misuse your
email address.

For example, let's say you sign up for a newsletter and you use a disposable
email address to do so. That newsletter then sells your email address to
spammers or somehow turns into a spammer themselves. You can then immediately,
and permanently, remove all of that spam, stop getting anymore spam that is
sent to that email address by - simply disposing of the disposable email
address. In other words, doing whatever Yahoo lets you do to stop receiving
email from this disposable email address.

That's the point of disposable email addresses. That's why they're called
disposable.

They're not really a security measure in the sense that you're talking
about and in the sense of the set of circumstances that led to Matt Honin's
getting hacked some months ago.

Securing email accounts

What you care about most is that your accounts are (as much as they can be)
independent of one another. Now, I'm not saying that your subscriptions, and so
forth, are.

For example, if you have a Yahoo account and a Gmail account, make sure that
they are not necessarily the alternate email address for each other. Because,
that way someone who hacks one - can then hack the other.

The right way to do it is to potentially have a third,
intermediate account that you would use only for recovery and so
forth.

The Honin articles that I have go into that in a little bit more detail.

Disposable email addresses for security?

But, I want it to be clear about this use of disposable email addresses. I
don't consider them a security measure in the sense of securing these
accounts.

They are a convenience and a spam management tool - to let you deal with how
other people might misuse the email address that you've actually given to
them.

So, the best thing you've done so far is to make sure that you've got a very
strong password. That's fantastic.

As always, all of the other security measures apply. Make sure there's no
malware on your machine so that someone isn't capturing your very secure
password as you're typing it in. Make sure you're using open Wi-Fi hotspots
correctly, if you're using them at all.

Those kinds of things are what really play into the security of this
account.

End of Answercast #70 Back to -
Audio Segment

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

3 comments on “Do disposable email addresses really add any security?”

  1. Hi Leo, I have yahoo.com and it is running IE 9.
    I run Windows 7 pro 64 bit. I have a credit union
    account and a bank checking account. Recently I
    could not logon my credit union account. Changing some settings in IE 9, corrected that,
    Now my bank is changing their settings.They list
    three reccommended browsers and Yahoo.com
    is not on the list. MS IE 9 is on the list. They intend to do a phone callback to verify a logon.
    My phone is a hardwired line (voice AT&T) and
    I have Cspire cells. Has IE 9 changed or has the
    security of the banking business changed ? Yahoo
    is considered a browser isn’t? What are they doing over the phone? Phone service is not good
    Thanks

    Reply
  2. @Esley,
    Yahoo.com is not a browser. It is a website. You use your browser (IE 9) to go to the website (yahoo.com). That’s probably what’s confusing you. You won’t find Yahoo on the list of browsers.

    So you’ll be using your IE 9 browser for your banking. If you are having any troubles with settings your bank will probably help you with that.

    Reply
  3. To original question person,

    It sounds like you are assuming that you must open a brand new and different email account for each newsletter or organization that you belong or subscribe to. Which could mean that you would be trying to manage dozens or hundreds of different email accounts – a nightmare.

    I would suggest using just a few email accounts, and make sure that your login credentials at the newsletter sites are (a) using different passwords from each other, (b) using strong password and perhaps different user ID, (c) grouped in a way that makes sense to you.
    You can use the same email address for multiple newsletter signups, as each would be having a different -strong- password.

    For example, ‘mytechnews@emailvendor.com’ you could have Leo’s newsletter, and pcworld and macworld, etc. And your different address of ‘myhealthnews@emailvendor.com’ you would have various webmd and etc health newsletters.
    And so on.
    Lets assume you subscribe to 50 newsletters. At the end of your reorganization, you would have, say, 4 or 5 email accounts, used for a total of 50 newsletters, and 50 unique and strong passwords.
    Much more manageable than 50 separate email accounts.

    And of course, using some kind of password manager, either on your computer or web-based, will help to manage this.

    As Leo states, disposable email accounts are not for security, but to be able to ‘dump’/dispose of that email address if it starts to collect a bunch of spam. (In fact, some of the independent disposable email vendors do not even use passwords on the address – thus there is no security at all.)

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.