Why I Have a Secret “Classified” Email Address

Your email address is the center of your digital life. If you're like me, you have one main email address that you use for everything.

Social media accounts like Facebook, Twitter, and Pinterest will resolve back to my main Gmail account. Any services I pay for like Spotify and Netflix, I also enter my main Gmail account.

In some cases, I use the + trick (if you put in main.email+service@gmail.com the email still makes it to main.email@gmail.com, it'll just have the +service so you know if that address is being used in off-book ways) but the + trick is more about filing and management than security. People know that your main email is main.email@gmail.com.

The problem is that I would also use it for other things, like when I briefly signed up on Adobe.com to use their cloud services. Turns out me and 153 million of my closest internet friends had our emails, username, encrypted password, and password hints hacked in October 2013. The encryption was weak, so the passwords were very easily converted into plaintext (the breakdown of passwords is kind of fascinating… “iloveyou” is a very popular password!).

I'm fortunate in that I use different passwords for all accounts, so when I learned my Adobe account was breached, it was “okay.”

After that moment, I resolved to firewall my email system.

  1. One email address for high security, “classified” material – financial services and sensitive information.
  2. One email address for insecure, low security services.

Borrowing a Page from the USG

The United States Government has classified and unclassified systems and the basic premise is that the two shall never meet. Sensitive and important information lives in the classified world. Less important, less sensitive information lives in the unclassified world.

If the unclassified system is breached in some way, only the less important and less sensitive information is revealed. The classified system is safe.

Your banking and broker information is sensitive and important. Your Facebook page may seem important… but it's not. You might not be able to live without Pinterest or Playstation, but those aren't important. 🙂

I'd argue that credit card information is considered NOT important because consumer liability protections are exceptionally strong. All of my credit cards are $0 liability. Plus, the access point is often the card itself, not the online account.

Rules of a Classified Email Address

Here are my rules:

  • Use your classified email address for accounts where high security is a must – banks, brokers, etc.. (not credit cards!)
  • Only use your classified email in your strict circumstances, never elsewhere.
  • Access that account only when you'd access the underlying financial accounts – from your home and never from elsewhere like your friends' house, hotel business center, gym, etc.
  • Do not forward your classified email to your unclassified email, the two shall never meet.
  • Use a strong password. Preferably a password manager like 1Password.

You can take every idea to its logical extreme depending on your desire for security vs. convenience. For example, you can create a unique email address for each account or you can save an old computer strictly for accessing those accounts (with no installed programs that could be malware). That I leave up to you.

The goal is to keep that email address as hidden as possible so it can never be hacked unless the bank is hacked.

The best thing about this is that once you set it up, it gives you peace of mind. If your unclassified email address is disclosed in a breach, you know that your classified email address is safe. And you will never get tricked by a phishing email because none of your accounts are linked to your unclassified email address.

Plus, email addresses are free! The only cost is in management.

Can I Search For Hacks?

Most hacks/breaches hit systems where security isn't a priority.

I was using haveibeenpwned.com to see if my email address was compromised. The site is run by Troy Hunt, a trusted and well-regarded security professional, and it collects all the publicly available personal data out there and makes it searchable.

If you look at the top 10 breaches, none were of what you would consider high-security systems. Adobe, Ashley Madison, some gaming sites, VTech, and forums. If you look at all the breaches, you start seeing a few tangentially financial sites (mostly gambling and payment systems) but you don't see banks or brokers.

Once a hacker gets your email address, it's trivial to start sending out phishing emails to get greater account access. With 152 million email addresses in the hack of Adobe, a success rate of 0.001% is still 1,520 accounts!

Gmail is pretty good about filtering out phishing emails but a better solution is to keep a secret email address only for financial services and other high-security systems.

(and remember, sites like haveibeenpwned.com only search for breaches that were made publicly available, plenty aren't disclosed)

Two other things I do…

Use unique usernames. No reason why your World of Warcraft username should be the same as your Wells Fargo. 🙂 When Adobe was hacked, it revealed usernames and encrypted (but weakly encrypted) passwords. If you have usernames and passwords, it's even easier to try the credentials at every bank.

Turn on 2FA! Turn on two factor authorization on all your financial accounts. Two-factor authorization is crucial and it's easy with smartphones. You must use it.

Do you use separate email addresses to keep things just a little bit more secure?

Other Posts You May Enjoy:

Greenlight vs. FamZoo: Which Is the Better Debit Card for You?

With unique features like spending controls, parental notifications, and payments for chores, kids' debit cards have become increasingly popular in recent years. In this Greenlight vs. FamZoo review, we compare the features and benefits of two of the most popular kids debit card programs.

Best Debit Card For Kids: Why You Should Consider a Debit Card for Your Child

Are you considering a debit card for your child? The thought of giving young kids more control over their money can be scary. Thankfully, there are debit cards designed specifically for kids. With features like parental controls, roundup savings, and more, kid's debit cards give kids the freedom to learn how to properly manage their money.

When and How to Hire a Financial Advisor

A financial advisor can examine your finances and help you navigate through current and upcoming life events. Whether you want to take your finances to the next level or just get a second opinion on your investments a financial advisor can help you.

How to Get Free Money on the Cash App

There are a few legit ways to get free money on the Cash App. In fact, you can earn $5 by signing up with our new user referral code, ZBJVLJJ, and sending at least $5 to a friend. You can also earn debit card shopping boosts and enter social media giveaways.

About Jim Wang

Jim Wang is a thirty-something father of four who is a frequent contributor to Forbes and Vanguard's Blog. He has also been fortunate to have appeared in the New York Times, Baltimore Sun, Entrepreneur, and Marketplace Money.

Jim has a B.S. in Computer Science and Economics from Carnegie Mellon University, an M.S. in Information Technology - Software Engineering from Carnegie Mellon University, as well as a Masters in Business Administration from Johns Hopkins University. His approach to personal finance is that of an engineer, breaking down complex subjects into bite-sized easily understood concepts that you can use in your daily life.

One of his favorite tools (here's my treasure chest of tools,, everything I use) is Personal Capital, which enables him to manage his finances in just 15-minutes each month. They also offer financial planning, such as a Retirement Planning Tool that can tell you if you're on track to retire when you want. It's free.

He is also diversifying his investment portfolio by adding a little bit of real estate. But not rental homes, because he doesn't want a second job, it's diversified small investments in a few commercial properties and farms in Illinois, Louisiana, and California through AcreTrader.

Recently, he's invested in a few pieces of art on Masterworks too.

Reader Interactions

Leave a Comment:

Comments

About the comments on this site:

These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

  1. Steve H. says

    Hey Jim, so you say that you never use the same password twice? …. NEVER? I have a tough time remembering the five or six passwords to “things” I access routinely (e.g., credit cards, bank, broker,etc). So it would be nearly impossible to remember the 60 or so things I have that require a password without some being somewhat redundant, or I’d have to resort to the UBER-Secret master password list every time I have to log on. How do you manage that?

    • Jim Wang says

      I don’t reuse on secure places. I do use the same one, with a junk email address, for the places I don’t care about.

      For the secure ones, I use a master password that is gibberish but it’s the same gibberish so I remember it. Then I add stuff to the end based on what it is. For example, if it’s a credit card, I’ll add some letters corresponding to the card and then an ! at the end of the password.

      I’ve also pared down my accounts such that I don’t have a ton of them that I log into.

  2. Jon says

    Thank you for this. Not only do I have a secure email through Proton Mail, but I’ve done the same thing with a phone number (that I don’t share with anyone). There are some clever hackers out there who are using 2-factor authentication loopholes when they get the right customer support person on the phone at the cell phone companies. Scary stuff, but this post should help many people.

  3. Forrest says

    What email do you use for your Personal Capital account considering you have to enter all your banking login information into their website in order to link your financial accounts?

  4. w says

    What do you think of using separate emails for:
    1. services you pay for eg airfares, airbnb, app downloads and subscriptions?
    2. logins only eg evernote, meetup

  5. Brian says

    Ari Paul @ariDavidPaul had a nice stream of tweets on this today. Some, like you mentioned, went down the rabbit hole of paranoia, but otherwise sounded much like your message here. Thanks.

  6. something says

    Nice article Jim,
    Been thinking of this for a while but came across your article and motivated now to do this sooner.
    1- What would you suggest for Paypal associated email address, please? Should this be a secure one? Paypal email is shared many a time for receiving money when selling items but at the same time, you don’t want the spams (phishing emails) to start coming into that mailbox.

    Regards

    • Jim Wang says

      Good question – I use my regular one because my friends are sending me money. For business, I have a separate one but that is linked to the same account. You don’t want to use the secure email address thought because the whole point is to avoid giving it out to anyone.

  7. Miko says

    Thank you Jim for the valuable information! Besides banks and brokers, would you recommend using the “classified” email address for my social security account as well? What about IRS, TurboTax, etc? Thank you!

  8. Canuck says

    Great article and advice, thank you, I shared it with several friends and coworkers. Just went through a very targeted hack attack that totally upended my life for three days over Christmas 2020, and trying to stay ahead of the hacker was one of the most stressful things I’ve ever experienced. Was locked out of certain financial accounts till I could prove identity & didn’t know if my money was there or not, didn’t eat or sleep, what a nightmare. Luckily I was already using very strong individual passwords along with 2FA and having 2FA was the final defense that saved my finances from being looted. I followed your advice here regarding stealth emails and feel much calmer. My name, personal email, Hm address and mobile number were recently posted on a hacker site so I’m now perpetually a target. Worried about a potential SIM swap, I even obtained a second mobile number for use only with certain accounts. I will no longer use the leaked email for anything. Above everything, secure your mobile phone account, your email and financial accounts. Don’t wait until it happens to you and your in a panicked reactionary state. Hackers are counting on the fact that most ppl are complacent when it comes to account password security. Thank goodness I was paying attention, whew, what a stressful ordeal. Stay safe!

    • Jim Wang says

      Wow! That’s really scary, I’m glad 2FA saved you.

      We recently also got a physical hardware key as an additional layer of security (Yubikey).

  9. Anna says

    so i have a question. If i have all my emails coming to one app on my phone or desktop, are you saying that the one secret email should not be linked in with the others, even though it doesn’t specifically overlap with the other emails (and only the app itself getting access)?

    thanks
    Anna

    • Jim Wang says

      I would not log into your secure email address with the app. This avoids you being phished or otherwise attacked because you accidentally clicked on a link through your phone.

  10. Pamela Jackson says

    I have always followed this same approach when it comes to email. I actually have a few emails that I consider non-classified that I use for different things. One is for survey sites, one is for personal emailing with friends and family & the third is for entering contests. My classified email is for banking or high security accounts only. Even my closest friends and family members have never been given this email. I do have a record of this email locked up in a safe with other important documents in the event that something should happen to me and this information is needed by those handling my affairs. Not only is it important for internet security but it also has the added benefit of making things easier to manage. I go in every couple of months and change the password as well to be extra secure and I also have my computer loaded up with a VPN, virus and malware protection. I never access online banking or high security accounts from anywhere but my home computer, using my personal WI-FI.

See More Comments

As Seen In: