• sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    34
    ·
    21 days ago

    I recently went through most of my accounts and randomized the username, with the thought here being to limit the likelihood of one site being compromised leading to accounts at other sites being compromised. I don’t have to remember them due to using a password manager, so it’s really no skin off my nose.

    I’ll use this as a reminder to everyone to improve your security. Some ideas:

    • use a password manager and use random usernames and passwords
    • have multiple email accounts, and don’t use your “main” email w/ random signups - I use a simple mnemonic, like “<user>-<purpose>@domain.com”; so “me-shopping@domain.com” or “me-games@domain.com” so it’s easy for me to remember, but unlikely for a lazy hacker to pwn other accounts (a lot of these are automated); my real email is “me@different-domain.com
    • use 2FA if offered, even if it’s stupid SMS or email based; having any extra step can deter an attacker

    Sucks that people are targeting IA, I hope there isn’t any lasting damage and that this is a simple defacement/DOS.

    • Pringles@lemm.ee
      link
      fedilink
      English
      arrow-up
      11
      ·
      21 days ago

      For e-mails, you can just get firefox relay with your own subdomain and generate infinite e-mail masks for 1$ a month. I usually take “nameofshop@mysubdomain.mozmail.com” for example. It’s pretty great because you just make the masks on the fly.

      • xthexder@l.sw0.com
        link
        fedilink
        English
        arrow-up
        7
        ·
        20 days ago

        I’ve been doing this for several years now (not specifically that service, since I have my own domains). It’s really nice knowing exactly who sold your email to the spam bots, because it’s right in the address. Super easy to block once that happens.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        21 days ago

        Yup.

        If you use the same email everywhere, they can try brute-forcing the password by using the email instead of your username. Give them less to go on. $1/month is absolutely worth it to prevent an important account from getting hacked.

        • toynbee@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          20 days ago

          For users of Gmail, I can confirm this works and you can even set it up so that address+nameofshop goes to a folder called “nameofshop.”

          You can also apparently add a dot anywhere before @gmail.com and still receive the email. I haven’t tried this one, but the last time I mentioned this someone said it was part of the email standard, so presumably it works.

          I don’t know of tricks specifically of this vein for proton mail, but I do know you can setup a catch-all address so, for example, something addressed to invalidaddress@domain.com goes instead to spam@domain.com.

          I’ve not tried SimpleLogin, but apparently it offers similar functionality.

        • Pringles@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          20 days ago

          I didn’t know that actually. They can still deduce your actual email address from that, but for the identification of the culprit that would work as well.

      • Blackmist@feddit.uk
        link
        fedilink
        English
        arrow-up
        1
        ·
        21 days ago

        The email mask is free without a subdomain. I use it for the odd random signups where the only thing I’m really interested in is not having another nobhead add me to their spam lists.

        • Pringles@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          21 days ago

          That’s how I used it initially as well, but chose to get a subdomain to identify shops and services that had data breaches/leaks, pass on the email to other shops and services, etc.

          And then I can just block that mask.

    • asudox@programming.dev
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      20 days ago

      Point 2… if you pay for a email aliasing service, you will be locked in. What I suggest is using plus addressing. e.g.

      example+83hdo72@example.com
      

      As long as you keep using randomized ones, this’ll be as good as an alias against automated and manual login attempts. It just does not hide your base email, which would be

      example@example.com
      

      Many email services offer some free aliases. For example, I use one alias, along with my main email that is only used for important services. Other than that, I have an alias that is used for online accounts. This way, your main inbox is free of spammers. And even if your main address were to be the target of a spammer, the automatic spamming software most likely will not chop off the plus part, so you can easily block that email with the specific plus identifier. Not as good as external email aliasing services, but at least you won’t be locked into the email aliasing service. Bitwarden has a generator for such things, really nice tbh.

    • Julien Catanese@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      20 days ago

      I recently went through most of my accounts and randomized the username, with the thought here being to limit the likelihood of one site being compromised leading to accounts at other sites being compromised. I don’t have to remember them due to using a password manager, so it’s really no skin off my nose.

      I’ll use this as a reminder to everyone to improve your security. Some ideas:

      use a password manager and use random usernames and passwords
      have multiple email accounts, and don’t use your “main” email w/ random signups - I use a simple mnemonic, like “<user>-<purpose>@domain.com”; so “me-shopping@domain.com” or “me-games@domain.com” so it’s easy for me to remember, but unlikely for a lazy hacker to pwn other accounts (a lot of these are automated); my real email is “me@different-domain.com”
      use 2FA if offered, even if it’s stupid SMS or email based; having any extra step can deter an attacker
      

      Sucks that people are targeting IA, I hope there isn’t any lasting damage and that this is a simple defacement/DOS.

      thanks for the advices ! Would you recommend a particular password manager?