Your email address is the center of your digital life. If you're like me, you have one main email address that you use for everything.
Social media accounts like Facebook, Twitter, and Pinterest will resolve back to my main Gmail account. Any services I pay for like Spotify and Netflix, I also enter my main Gmail account.
In some cases, I use the + trick (if you put in [email protected] the email still makes it to [email protected], it'll just have the +service so you know if that address is being used in off-book ways) but the + trick is more about filing and management than security. People know that your main email is [email protected]
The problem is that I would also use it for other things, like when I briefly signed up on Adobe.com to use their cloud services. Turns out me and 153 million of my closest internet friends had our emails, username, encrypted password, and password hints hacked in October 2013. The encryption was weak, so the passwords were very easily converted into plaintext (the breakdown of passwords is kind of fascinating… “iloveyou” is a very popular password!).
I'm fortunate in that I use different passwords for all accounts, so when I learned my Adobe account was breached, it was “okay.”
After that moment, I resolved to firewall my email system.
- One email address for high security, “classified” material – financial services and sensitive information.
- One email address for insecure, low security services.
Borrowing a Page from the USG
The United States Government has classified and unclassified systems and the basic premise is that the two shall never meet. Sensitive and important information lives in the classified world. Less important, less sensitive information lives in the unclassified world.
If the unclassified system is breached in some way, only the less important and less sensitive information is revealed. The classified system is safe.
Your banking and broker information is sensitive and important. Your Facebook page may seem important… but it's not. You might not be able to live without Pinterest or Playstation, but those aren't important. 🙂
I'd argue that credit card information is considered NOT important because consumer liability protections are exceptionally strong. All of my credit cards are $0 liability. Plus, the access point is often the card itself, not the online account.
Rules of a Classified Email Address
Here are my rules:
- Use your classified email address for accounts where high security is a must – banks, brokers, etc.. (not credit cards!)
- Only use your classified email in your strict circumstances, never elsewhere.
- Access that account only when you'd access the underlying financial accounts – from your home and never from elsewhere like your friends' house, hotel business center, gym, etc.
- Do not forward your classified email to your unclassified email, the two shall never meet.
- Use a strong password. Preferably a password manager like 1Password.
You can take every idea to its logical extreme depending on your desire for security vs. convenience. For example, you can create a unique email address for each account or you can save an old computer strictly for accessing those accounts (with no installed programs that could be malware). That I leave up to you.
The goal is to keep that email address as hidden as possible so it can never be hacked unless the bank is hacked.
The best thing about this is that once you set it up, it gives you peace of mind. If your unclassified email address is disclosed in a breach, you know that your classified email address is safe. And you will never get tricked by a phishing email because none of your accounts are linked to your unclassified email address.
Plus, email addresses are free! The only cost is in management.
Can I Search For Hacks?
Most hacks/breaches hit systems where security isn't a priority.
I was using haveibeenpwned.com to see if my email address was compromised. The site is run by Troy Hunt, a trusted and well-regarded security professional, and it collects all the publicly available personal data out there and makes it searchable.
If you look at the top 10 breaches, none were of what you would consider high-security systems. Adobe, Ashley Madison, some gaming sites, VTech, and forums. If you look at all the breaches, you start seeing a few tangentially financial sites (mostly gambling and payment systems) but you don't see banks or brokers.
Once a hacker gets your email address, it's trivial to start sending out phishing emails to get greater account access. With 152 million email addresses in the hack of Adobe, a success rate of 0.001% is still 1,520 accounts!
Gmail is pretty good about filtering out phishing emails but a better solution is to keep a secret email address only for financial services and other high-security systems.
(and remember, sites like haveibeenpwned.com only search for breaches that were made publicly available, plenty aren't disclosed)
Two other things I do…
Use unique usernames. No reason why your World of Warcraft username should be the same as your Wells Fargo. 🙂 When Adobe was hacked, it revealed usernames and encrypted (but weakly encrypted) passwords. If you have usernames and passwords, it's even easier to try the credentials at every bank.
Turn on 2FA! Turn on two factor authorization on all your financial accounts. Two-factor authorization is crucial and it's easy with smartphones. You must use it.
Do you use separate email addresses to keep things just a little bit more secure?
About the comments on this site:
These responses are not provided or commissioned by the bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by the bank advertiser. It is not the bank advertiser's responsibility to ensure all posts and/or questions are answered.
Holly Johnson says
I have three or four email addresses I use for different purposes. One is mainly for purchases where I expect to get spam. Another is intended solely for spam!
Ha I have a spam email, it’s holly @ … jk 🙂
This is a great wake up call for a lot of people (myself included)! As a greater part of our lives moves online, it becomes increasingly important that we are careful with our email addresses and passwords. I use a personal email for banking, bills, etc and then I have a separate business email for my blog and other business activities.
I have a separate business one but keeping a “super secret never tell anyone except the banks” email address makes sure I’m extra careful 🙂
Thanks Jim, this is great advice and even though I work in the IT industry, very easy to forget about security 101.
Unfortunately I was also part of the adobe breach, and some other sites mentioned on havibeenpwnd. Not, not Ashley Madison 😉
Hahahaha, you have to assume that everything you do on the internet will eventually become public. It’s just how it works!
Our Next Life says
Thanks for this reminder, Jim. We need to set this up for our banking and investment accounts. We’ve upped our log-in security, but it’s all still linked to our main email accounts. Adding to the to do list!
It’s one of those simple things that you think would cost a lot of time, in setting it up and ongoing maintenance, but it actually doesn’t. Like getting transaction notifications for charges above $0, it’s not nearly as annoying as you’d think to have a 2nd email just for these.
Kalie @ Pretend to Be Poor says
I have a junk email address but never thought to have a high security one. Great idea, Jim! I actually had my Gmail account suspended once. Still haven’t figured out why, they can do it for a number of reasons including if they think it could be at risk from hacking. Gmail quickly lifted the suspension but they don’t have to.
You need to give alternate or backup email address for this super secret email for backup. Which one do you give here? 🙂
Ha, good question… 🙂
I use another email address that I don’t use for logins anywhere else.
And what is that email address? 😉
Jim Wang says
Nice try 🙂
This is a great idea. I’ll have to start the processing of changing my bank emails over because security is such an issue nowadays.
I followed your previous advice and activated 2FA for my email and bank accounts. It has brought a lot of peace of mind.
I even got a text a few days after it looks like someone was trying to get into my investment account at Vanguard! I changed the password right away and let Vanguard know.
Again, the piece of mind is incredible. Thanks for the advice.
Ha! Just in the nick of time!
Catherine Alford says
Interesting. I hadn’t thought of this, but now that it’s on my radar, I may have to change my email address for some of my accounts.
Derek @ MoneyAhoy says
Wow – this is a really great idea Jim. I have always been a bit nervous having my bank account email the same as my normal email. It never really dawned on me to setup a high-security email address. I’m going to take action to create one today for my banking and investing stuff. Thanks for the tip!
Emails are free!
middle class revolution says
I have one main email address and one for work. I use different passwords depending on the level of security needed. Banks/brokers get a higher level password. I have mid-tier accounts that get another password. And then I have a very easy-to-remember password that I use when I sign up for coupons, promotional emails, and the like. I assumed that would be just as secure, but after reading this, I’m not so sure.
I’ve never thought about having an email for high-security items. I need to be more careful about this. Thank you for the thoughtful article and the tips about passwords, usernames and securing email.
No problem Melissa! 🙂
You should have a look into having a password manager which sets your passwords secure enough. I have no idea what my passwords are but it becomes way easier to manage with a password manager. There are many reviews out there that you can look into.
I’ve looked into those… but they can get hacked too.
Earlier last year, LastPass was hacked. Later in the year, a MSFT software engineer discovered a problem in the way that 1Password implemented their 1PasswordAnywhere feature. It leaves some information unencrypted (a list of websites, login name, software licenses, etc.). While it’s not something that will give someone access to your accounts, it’s not a good thing either.
So they aren’t perfect and they make for extra juicy targets since they contain all your other passwords.
Classified email is a great idea. Thanks for writing this.
A couple thoughts regarding password managers, LastPass is a product that is either a browser extension or an app for your (non-desktop computer) device. 1Password is similar, I believe. An app like these opens up vectors of attack (browser extension? no thanks).
I recommend using Password Safe, an open source password manager originally created by Bruce Schneier. https://www.pwsafe.org/
I also recommend using it only on a desktop/laptop computer. I see no reason to *store* passwords on a mobile device. One should not be doing banking on a smartphone that one carries around with them all day. Eliminate that vector of attack, and do that important stuff in one place – at home.
You can store your Password Safe database (it’s just a small file) in your dropbox folder, giving yourself access to this from your various desktop/laptop computers (say, home and work – a reasonable balance of convenience vs. security).
For high-security sites like banking, keep some – but not all – of the password in this tool. Then keep the partial password (say the last few characters) in your wallet to be typed by you after you paste the long first part in the input field.
The “strong, unique password for each site” feature achieved with this workflow, and the lack of a third-party company for a hacker to know about and try to hack (for example, LastPass or 1Password) achieves a very good balance between security and convenience.
Also, rename the binary executable from Password Safe.exe to something else to hide it from malware (there was a trojan that attacked in this way).
There is not perfect solution to this whole issue. It’s about balance. But I think the above is worth considering.
Karsten Andrae says
Interesting, but where to get a secret e-mail address from? Just a different service provider? Never meeting, what does that mean? they should not be connected to the same Outlook installation or never be viewed on the same computer, I am not sure. Thanks.
Jim Wang says
I just another GMail account.
I use different fictitious names and dates of birth for all my email accounts in gmail and yahoo. is this a good idea or do I need to be using my correct info for my financial email accounts?
Also I have several web sites (i.e.my security system account ) that require an email as the user name. Concerned that using an email as a user name makes it easier for email hackers to access these accounts. Should I just make up an email the user name and indicate the correct email in my profile?
Jim Wang says
I don’t see a reason you need to use correct information on your email accounts but you will want to remember what those answers are in case you need to unlock them later on.
I don’t know how those other sites manage the username as an email vs. your contact information, it would have to depend on that.
Do you recommend getting multiple emails from the same provider (e.g. Gmail) or do you use different providers? If you use the same provider, it seems like you’d want to provide different credentials as Mojo states, so that they aren’t linked. Also, do you think it’s a wise idea to stay away from yahoo (or delete a current yahoo account) since they don’t have 2FA?
Jim Wang says
I don’t think it matters if you use the same provider. I don’t think that separation won’t make a huge difference but don’t use the same password. Definitely do not use the same password.
I would stay away from Yahoo.
Maybe after a while go back to yahoo as it becomes less popular and hackers won’t be interested any longer 😉
These days all email providers seem to be requiring a phone number. I just have my cell phone… and it doesn’t seem very secure to be providing that in order to get a new email account. Also, Gmail picks up on when you’ve logged into more than one email address on the same device, and starts “linking” them, thereby losing the “secret” aspect…
Jim Wang says
I don’t see a problem with the phone, you just have to be more diligent.
As for Gmail linking them, you can disconnect them manually. The key to getting into the habit of only using the secret email for financial items. That way when people breach other less secure systems (like a random website), you don’t get phished because you know your less secure “regular” email address would never be known to your bank.
I like the idea of having a super secret email for my bank but what about all my other accounts that I associate with my bank when paying bills and etcetera.
Jim Wang says
It depends on how secure you need them to be? You can use your regular email for that as long as they don’t have the ability to pull money?
The thing is my credit card and bank (Chase & Discover) is the same one… so how do I separate the email addresses with the banks? Thanks~
Jim Wang says
You could make new email addresses… personally, I would send them to the same secure address.
Wade Edward says
Sorry, don’t agree. I cannot see any benefit to separate (super secret) email addresses other than administration convenience. If my em address gets hacked how can they get into bank accounts w/o username and password?
Jim Wang says
It’s to prevent you from accidentally being phished because you become extra vigilant about the secure email.
I like the idea of a secret email for banking purposes. But why not tell credit cards? It seems like I would want all bills/finances under one email. You suggest keeping banks and credit cards separate – can you explain why?
Steve H. says
Hey Jim, so you say that you never use the same password twice? …. NEVER? I have a tough time remembering the five or six passwords to “things” I access routinely (e.g., credit cards, bank, broker,etc). So it would be nearly impossible to remember the 60 or so things I have that require a password without some being somewhat redundant, or I’d have to resort to the UBER-Secret master password list every time I have to log on. How do you manage that?
Jim Wang says
I don’t reuse on secure places. I do use the same one, with a junk email address, for the places I don’t care about.
For the secure ones, I use a master password that is gibberish but it’s the same gibberish so I remember it. Then I add stuff to the end based on what it is. For example, if it’s a credit card, I’ll add some letters corresponding to the card and then an ! at the end of the password.
I’ve also pared down my accounts such that I don’t have a ton of them that I log into.
Thank you for this. Not only do I have a secure email through Proton Mail, but I’ve done the same thing with a phone number (that I don’t share with anyone). There are some clever hackers out there who are using 2-factor authentication loopholes when they get the right customer support person on the phone at the cell phone companies. Scary stuff, but this post should help many people.
Jim Wang says
Excellent point on the phone number!
What email do you use for your Personal Capital account considering you have to enter all your banking login information into their website in order to link your financial accounts?
Jim Wang says
Good question, I use the regular one.
What do you think of using separate emails for:
1. services you pay for eg airfares, airbnb, app downloads and subscriptions?
2. logins only eg evernote, meetup
Jim Wang says
That feels unnecessary for me but if it helps you sleep at night, go for it!
Ari Paul @ariDavidPaul had a nice stream of tweets on this today. Some, like you mentioned, went down the rabbit hole of paranoia, but otherwise sounded much like your message here. Thanks.
Nice article Jim,
Been thinking of this for a while but came across your article and motivated now to do this sooner.
1- What would you suggest for Paypal associated email address, please? Should this be a secure one? Paypal email is shared many a time for receiving money when selling items but at the same time, you don’t want the spams (phishing emails) to start coming into that mailbox.
Jim Wang says
Good question – I use my regular one because my friends are sending me money. For business, I have a separate one but that is linked to the same account. You don’t want to use the secure email address thought because the whole point is to avoid giving it out to anyone.
Thank you Jim for the valuable information! Besides banks and brokers, would you recommend using the “classified” email address for my social security account as well? What about IRS, TurboTax, etc? Thank you!
Jim Wang says
I’d use it for anything you want to keep “separate” because you don’t want to get phished.
Great article and advice, thank you, I shared it with several friends and coworkers. Just went through a very targeted hack attack that totally upended my life for three days over Christmas 2020, and trying to stay ahead of the hacker was one of the most stressful things I’ve ever experienced. Was locked out of certain financial accounts till I could prove identity & didn’t know if my money was there or not, didn’t eat or sleep, what a nightmare. Luckily I was already using very strong individual passwords along with 2FA and having 2FA was the final defense that saved my finances from being looted. I followed your advice here regarding stealth emails and feel much calmer. My name, personal email, Hm address and mobile number were recently posted on a hacker site so I’m now perpetually a target. Worried about a potential SIM swap, I even obtained a second mobile number for use only with certain accounts. I will no longer use the leaked email for anything. Above everything, secure your mobile phone account, your email and financial accounts. Don’t wait until it happens to you and your in a panicked reactionary state. Hackers are counting on the fact that most ppl are complacent when it comes to account password security. Thank goodness I was paying attention, whew, what a stressful ordeal. Stay safe!
Jim Wang says
Wow! That’s really scary, I’m glad 2FA saved you.
We recently also got a physical hardware key as an additional layer of security (Yubikey).
so i have a question. If i have all my emails coming to one app on my phone or desktop, are you saying that the one secret email should not be linked in with the others, even though it doesn’t specifically overlap with the other emails (and only the app itself getting access)?
Jim Wang says
I would not log into your secure email address with the app. This avoids you being phished or otherwise attacked because you accidentally clicked on a link through your phone.
Pamela Jackson says
I have always followed this same approach when it comes to email. I actually have a few emails that I consider non-classified that I use for different things. One is for survey sites, one is for personal emailing with friends and family & the third is for entering contests. My classified email is for banking or high security accounts only. Even my closest friends and family members have never been given this email. I do have a record of this email locked up in a safe with other important documents in the event that something should happen to me and this information is needed by those handling my affairs. Not only is it important for internet security but it also has the added benefit of making things easier to manage. I go in every couple of months and change the password as well to be extra secure and I also have my computer loaded up with a VPN, virus and malware protection. I never access online banking or high security accounts from anywhere but my home computer, using my personal WI-FI.
Thanks for the article. I’ve started implementing this (though it’ll take a while, I think, to get things moved into their proper addresses).
Question: How would you categorize utility websites (gas, water, electric) and the like? Are they considered “classified” or would you see them as “unclassified”? There is certainly more damage someone could do with access to those accounts than many other accounts I might have. But do they rate as high as banks, brokers, etc? How do you handle those types of things?
Jim Wang says
I think of them as unclassified because, as far as I know, no one is looking to break into your utility account because there’s nothing you can do with it (they can’t steal your money using it, even if it is still important).
That said, it’s really your system so you should do what helps you sleep at night. It doesn’t hurt to use your classified email address with them.