Why I Have a Secret “Classified” Email Address

Your email address is the center of your digital life. If you're like me, you have one main email address that you use for everything.

Social media accounts like Facebook, Twitter, and Pinterest will resolve back to my main Gmail account. Any services I pay for like Spotify and Netflix, I also enter my main Gmail account.

In some cases, I use the + trick (if you put in [email protected] the email still makes it to [email protected], it'll just have the +service so you know if that address is being used in off-book ways) but the + trick is more about filing and management than security. People know that your main email is [email protected]

The problem is that I would also use it for other things, like when I briefly signed up on Adobe.com to use their cloud services. Turns out me and 153 million of my closest internet friends had our emails, username, encrypted password, and password hints hacked in October 2013. The encryption was weak, so the passwords were very easily converted into plaintext (the breakdown of passwords is kind of fascinating… “iloveyou” is a very popular password!).

I'm fortunate in that I use different passwords for all accounts, so when I learned my Adobe account was breached, it was “okay.”

After that moment, I resolved to firewall my email system.

  1. One email address for high security, “classified” material – financial services and sensitive information.
  2. One email address for insecure, low security services.

Borrowing a Page from the USG

The United States Government has classified and unclassified systems and the basic premise is that the two shall never meet. Sensitive and important information lives in the classified world. Less important, less sensitive information lives in the unclassified world.

If the unclassified system is breached in some way, only the less important and less sensitive information is revealed. The classified system is safe.

Your banking and broker information is sensitive and important. Your Facebook page may seem important… but it's not. You might not be able to live without Pinterest or Playstation, but those aren't important. 🙂

I'd argue that credit card information is considered NOT important because consumer liability protections are exceptionally strong. All of my credit cards are $0 liability. Plus, the access point is often the card itself, not the online account.

Rules of a Classified Email Address

Here are my rules:

  • Use your classified email address for accounts where high security is a must – banks, brokers, etc.. (not credit cards!)
  • Only use your classified email in your strict circumstances, never elsewhere.
  • Access that account only when you'd access the underlying financial accounts – from your home and never from elsewhere like your friends' house, hotel business center, gym, etc.
  • Do not forward your classified email to your unclassified email, the two shall never meet.
  • Use a strong password. Preferably a password manager like 1Password.

You can take every idea to its logical extreme depending on your desire for security vs. convenience. For example, you can create a unique email address for each account or you can save an old computer strictly for accessing those accounts (with no installed programs that could be malware). That I leave up to you.

The goal is to keep that email address as hidden as possible so it can never be hacked unless the bank is hacked.

The best thing about this is that once you set it up, it gives you peace of mind. If your unclassified email address is disclosed in a breach, you know that your classified email address is safe. And you will never get tricked by a phishing email because none of your accounts are linked to your unclassified email address.

Plus, email addresses are free! The only cost is in management.

Can I Search For Hacks?

Most hacks/breaches hit systems where security isn't a priority.

I was using haveibeenpwned.com to see if my email address was compromised. The site is run by Troy Hunt, a trusted and well-regarded security professional, and it collects all the publicly available personal data out there and makes it searchable.

If you look at the top 10 breaches, none were of what you would consider high-security systems. Adobe, Ashley Madison, some gaming sites, VTech, and forums. If you look at all the breaches, you start seeing a few tangentially financial sites (mostly gambling and payment systems) but you don't see banks or brokers.

Once a hacker gets your email address, it's trivial to start sending out phishing emails to get greater account access. With 152 million email addresses in the hack of Adobe, a success rate of 0.001% is still 1,520 accounts!

Gmail is pretty good about filtering out phishing emails but a better solution is to keep a secret email address only for financial services and other high-security systems.

(and remember, sites like haveibeenpwned.com only search for breaches that were made publicly available, plenty aren't disclosed)

Two other things I do…

Use unique usernames. No reason why your World of Warcraft username should be the same as your Wells Fargo. 🙂 When Adobe was hacked, it revealed usernames and encrypted (but weakly encrypted) passwords. If you have usernames and passwords, it's even easier to try the credentials at every bank.

Turn on 2FA! Turn on two factor authorization on all your financial accounts. Two-factor authorization is crucial and it's easy with smartphones. You must use it.

Do you use separate email addresses to keep things just a little bit more secure?

Other Posts You May Enjoy:

Tradeline Supply Company Review: A Good Way to Build Credit?

One way to improve your credit score is to be added as an authorized user on another person’s credit account. But what if you don’t have another person with good credit who can add you as an authorized user? That's where Tradeline Supply Company comes in. Learn more in our full review.

How to Automate Your Finances

Automating your financial tasks can save you time, money, and a lot of headaches. Learn which tasks are best left to computers and how best to get it all set up.

What Happens When You Deposit Over $10,000 Cash?

You’ve likely heard the stories about the IRS being notified when you deposit a large amount of cash. But what happens when you deposit over $10,000? Who is responsible for reporting large deposits? And what will the IRS do if you deposit large amounts of cash? We answer these questions and more in this article.

About Jim Wang

Jim Wang is a forty-something father of four who is a frequent contributor to Forbes and Vanguard's Blog. He has also been fortunate to have appeared in the New York Times, Baltimore Sun, Entrepreneur, and Marketplace Money.

Jim has a B.S. in Computer Science and Economics from Carnegie Mellon University, an M.S. in Information Technology - Software Engineering from Carnegie Mellon University, as well as a Masters in Business Administration from Johns Hopkins University. His approach to personal finance is that of an engineer, breaking down complex subjects into bite-sized easily understood concepts that you can use in your daily life.

One of his favorite tools (here's my treasure chest of tools,, everything I use) is Personal Capital, which enables him to manage his finances in just 15-minutes each month. They also offer financial planning, such as a Retirement Planning Tool that can tell you if you're on track to retire when you want. It's free.

He is also diversifying his investment portfolio by adding a little bit of real estate. But not rental homes, because he doesn't want a second job, it's diversified small investments in a few commercial properties and farms in Illinois, Louisiana, and California through AcreTrader.

Recently, he's invested in a few pieces of art on Masterworks too.

>> Read more articles by Jim

Opinions expressed here are the author's alone, not those of any bank or financial institution. This content has not been reviewed, approved or otherwise endorsed by any of these entities.

Reader Interactions


About the comments on this site:

These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.

  1. Jono says

    Thanks for the article. I’ve started implementing this (though it’ll take a while, I think, to get things moved into their proper addresses).

    Question: How would you categorize utility websites (gas, water, electric) and the like? Are they considered “classified” or would you see them as “unclassified”? There is certainly more damage someone could do with access to those accounts than many other accounts I might have. But do they rate as high as banks, brokers, etc? How do you handle those types of things?


    • Jim Wang says

      I think of them as unclassified because, as far as I know, no one is looking to break into your utility account because there’s nothing you can do with it (they can’t steal your money using it, even if it is still important).

      That said, it’s really your system so you should do what helps you sleep at night. It doesn’t hurt to use your classified email address with them.

See More Comments

As Seen In: