Not so long ago, in an office so very close, an imperial trooper used the same p@$$w0rd on every single site.
The onus of easy peasy pwnage led to separate and proper passwords for important sites, led to plasticky back pats, led to proud promotions.
But an imperial trooper’s memory banks are only yea big and only hold yea many passwords.
Forgotten passwords led to awkward moments at battle stations, shield generators, and the imperial brig. This led to demotions, a net loss of limbs, and an extended stay in the infirmary.
Time in the infirmary brought to fruition the password manager — a single password would provide access to an army of nigh unbreakable passwords limited only by the arbitrary and uninformative form validation clerks and capricious backend storage droids.
The rehabilitated trooper rose through the ranks yet again. Never again would he forget a password, and his memory banks were free to remember other facts.
He remembered that his favorite color was white. He remembered his love for dance, particularly… the trooper tango.
On one distinctly dull Monday, while authenticating himself before the imperial torture chamber, he realized that there are always two pieces to the ageless authenticative tango. Ever so provocative, the sultry password received all the admiration, the furtive glances over the shoulder, but the password never led the dance — it always followed the username: firstname.lastname@example.org. Never a leader, always a follower. He grunted a distorted 8-bit grunt.
A random Tuesday found him on duty in one of Lord Vader’s spare suit chambers. There with one gloved hand in the air, the other placed delicately on one hip, he shuffled one… two… quick left, turn.. and one, two… The distorted reflection gyrating back at him in his Lordship’s dark helmet left him entranced.
The ship rocked, rudely ending his solo dance routine and throwing him against the spare Vader suit. Alarms blared.
Shuffling to a wall display, a few familiar taps confirmed that the shield generators were down unexpectedly. Again. His helmet remained expressionless, but his eyes widened in alarm beneath. He stumbled back from the display, stiff armored hands clapped to his helmet. The screen showed scores of x-wings bearing down on their position. But there in one corner in a delicate shade of gray was the account used to lower the shields: email@example.com.
He scrambled to check his email, hastily scrolling past ads and even a new message from his favorite dancing bulletin board. There it was — a password reset email. Somehow he’d missed it. The screen flashed white with blaster fire, deep tremors shook the deck and walls around him. Sparks flew. The trooper stumbled through the halls, his equilibrious pastime keeping him on his feet where droids and new recruits fell and flailed helplessly around him.
As his world filled with fire and light, he was hit with the memory of an email he’d received from some overly-conscientious underling — something about a glaring weakness in the thermal exhaust port. He laughed an 8-bit laugh. His helmet remained expressionless.
The single point of failure
Like the single password before it, the single email address is a problem. It’s another single point of failure.
The email address is where the password resets go. When your email address is compromised, it doesn’t matter how strong your passwords are — the attacker has easy access to every account tied to that email that isn’t using multifactor auth.
Separate email accounts
The ultimate “solution” would be a separate email address for every account. But that would be annoying: Another password for each new email account, another email account to manage. Imagine the managerial overhead of 200 separate email accounts. There would be oversights and shortcuts, leading to a compromised security stance.
Completely separate email accounts? Not an ideal solution.
Email aliases are another option. With G-Suite, for example, you can have multiple email addresses that forward to a single email address. ProtonMail also allows up to 50 aliases. But neither is option is free. And you still bear the burden of remembering which address you associated with each site.
Gmail and others provide an easy way to create email aliases using the +, for example, firstname.lastname@example.org, but this nicety doesn’t really provide any security by obscurity. If a breach of junkmail.com reveals wookie_hips’ email address alias, an attacker will realize his true address is email@example.com and focus their attack there. (“Almost there…”) The “+” aliases help with organizing email but provide limited information-disclosure protection.
Third-party intermediary email services
Another alternative is to use a service like SendGrid or MailGun to forward multiple email addresses to a single email address. But this idea isn’t without its share of drawbacks:
- How do you reply to the address? If you reply from the forward address, you’ll look unprofessional and phishy. It’s possible to set this up in a mail provider like GMail, but it’s not as simple as it could be
- Unless you pay big bucks for a standalone IP, your emails from SendGrid and MailGun and may get bounced by email providers when your IP smells like spam.
- You’re introducing another attack vector. If one of these services is compromised, your battleship is sunk, or exploded or whatever…
Some other option
Newsflash from the collective unconscious: As I’m writing this Apple just announced their new “Sign in with Apple” service, which appears to be another federated sign on service, with one notable difference: “Sign in with Apple” makes it possible to hide your true email address from app vendors; they are sent a randomly-generated email address instead.
Apple’s approach is provocative, and this is definitely a space in need of deep thought and innovation like this.
Am I missing something? What solutions have you found in the email address management space?