Someone would need to know what accounts you have (which are not stored on my email)
Aren’t they?
Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.
Most services send you emails at least on registration.
then know the password to access them.
Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I’ve already compromised.
That’s if they are able to bypass the 2fa I have set on each account that offers it.
That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn’t email.
And it’s also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).
You do realise the average person will never do this, right?
I’d also note that often 2fa can be disabled with access to the registered email account. People lose shit, services have to offer recovery options. That’s usually via email.
Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.
Yes, you can assume EVERYONE has a Google, Amazon, Facebook, or Reddit account, right?
But this is why I use different email addresses. You’d never be able to use one of my email address across services, so not having the ability to secure my own accounts makes no sense.
But I will say that having strong email security pretty much eliminates this hypothetical risk.
Most services send you emails at least on registration.
Delete those. Why keep them?
Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I’ve already compromised.
2FA prevents this.
I should be able to mitigate a website’s weak security practices by being able to modify all aspects of my account.
That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn’t email.
I agree, and while I think that plenty of websites still have a long way to go, let the user do what they can to further secure their account… by rotating email addresses easily.
You do realise the average person will never do this, right?
They should. I don’t think security-minded folks should have to suffer because other people don’t care or don’t know.
Plus, there are more services that offer very easy, one-click options for generating new email addresses per account. Anyone who cares enough would already know.
Aren’t they?
Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.
Most services send you emails at least on registration.
Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I’ve already compromised.
That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn’t email.
You do realise the average person will never do this, right?
I’d also note that often 2fa can be disabled with access to the registered email account. People lose shit, services have to offer recovery options. That’s usually via email.
Yes, you can assume EVERYONE has a Google, Amazon, Facebook, or Reddit account, right?
But this is why I use different email addresses. You’d never be able to use one of my email address across services, so not having the ability to secure my own accounts makes no sense.
But I will say that having strong email security pretty much eliminates this hypothetical risk.
Delete those. Why keep them?
2FA prevents this.
I should be able to mitigate a website’s weak security practices by being able to modify all aspects of my account.
I agree, and while I think that plenty of websites still have a long way to go, let the user do what they can to further secure their account… by rotating email addresses easily.
They should. I don’t think security-minded folks should have to suffer because other people don’t care or don’t know.
Plus, there are more services that offer very easy, one-click options for generating new email addresses per account. Anyone who cares enough would already know.