0

Is it bad practice if one uses the same email address on different sites and forums?

CodesInChaos
  • 11,964
  • 2
  • 40
  • 50
steven
  • 1
  • 1
  • You may be interested in [PlusAddressing](http://www.wikihow.com/Use-Plus-Addressing-in-Gmail) in order to prevent simple correlation between sites. – user2813274 Aug 19 '14 at 15:16

2 Answers2

1

If you are concerned that some site is going to spam you or (worse yet) sell your email address, then you will want to use a unique address for that site.

If you're worried about a site being hacked, well, your email address is mostly public anyway; a hack just makes it a little bit more public.

What you must not do is use the same password across sites. If one of them is hacked, your security on all of them is toast if they all have the same password. It is critically important that the password to your email account be strong and different from any other site. If the bad guys get your email password, they can use the password reset mechanism to break into your other sites. Like your banking site, for example.

There are things a site or forum can do to make it difficult for attackers to compromise the password data, and to help secure the data even if it is compromised. You generally cannot tell who's using best practices and who is not. It is safest to assume that if a site is compromised, your password on that site is toast, along with any others where you've used the same password.

Edited to add: If you care about the ways a site can help protect your password, I wrote a short piece on that a couple of years ago: http://bitmonger.blogspot.com/2012/07/six-simple-rules-for-secure-storage-of.html

Bob Brown
  • 5,293
  • 1
  • 19
  • 28
  • what if the e-mail associated with one account becomes public knowledge? People would be able to associate several accounts in different sites to the same person, thus making it easier to identify who that person is. Or is that not how it works? – steven Aug 18 '14 at 10:40
  • Providing a working email address to just about anyone pretty much puts an end to anonymity. Law enforcement can subpoena the necessary information. If you buy anything using that email address, it is necessarily attached to a credit card number and delivery address. Even if you only use it for forum participation, your address can be tied to other activity using web tracking techniques. If you feel a need to hide your identity, you'll need to stop using online services. – Bob Brown Aug 18 '14 at 12:14
  • You can bypass the "working email" problem by using a service such as mailinator.com. – Ben Aug 19 '14 at 14:24
0

Social networking sites often allow users to find friends via email address search.

This may be a privacy concern for some users as another user can verify whether they have an account on a particular site. It is often an option to disable this functionality:

Facebook Privacy Settings

Privacy options screen from Facebook.

Allowing this lookup from anyone can lead to a username enumeration vulnerability, but often this is not a concern for sites such as these as the lookup of users is part of the design and they often bank on people wanting to use the site for its intended purpose (i.e. social networking) and turning off being found by email address could be contrary to this.

Often email address is used as a username, and therefore does not have to be secret or hard to guess. So unlike a password, there is no inherent risk in using the same email for different accounts. Some users tend to use the same email address, but with modifiers such as + symbols or with different local parts on a catchall domain account but this would be trivial for the address to be processed to remove the part following the + symbol. Detecting catch all address domains would be more difficult though but as email validation providers exist, this would not be that difficult.

There are also scenarios such as this where tying the account together by email has led to other accounts being taken over as they were "were daisy-chained together". i.e. The Gmail address was also used as a recovery address on the iCloud account. This would most probably have been prevented though if 2 factor authentication was in use or if the data management policies were more stringent rather than a flaw in sharing the email address between the two services. Going the other way and having multiple email addresses to recover other email addresses leads to more complexity and the risk of locking yourself out of other accounts would be much greater.

So to summarise, using the same email address is not bad practise in itself, however if the registration details are visible by the public or shared between different organisations where you have accounts, it can be determined that you are likely the same person. Likely not definite, as some services do not validate that the email address entered can be received by the user on sign up.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185