A lot more people are using password managers, and a question that I see show up a lot now is if you should create a new email account just for your password manager?
I’ve noticed this discussion has become hotly debated, but I’m on the side that you should not create a new email account just for your password manager.
Email Addresses Are Not That Private
Email addresses are about as private as your home address.
You may not go around telling anyone your home address, and you’ll undoubtedly be mad if someone leaked it, but in reality, we all know our home address is in an easy-to-find database somewhere.
Any one of these people search websites can show us how private your home address really is. A simple Google search of just your name can show you how much private info is not so private.
You can go out of your way to keep your email address private, but there is no guarantee that it will remain that way.
Your email address is always stored in plaintext on a server somewhere. It needs to be in plaintext to send you emails.
If past breaches have taught us anything, if it’s stored in plaintext on a server, it will be leaked one day. It doesn’t even need to be a malicious actor, but a pure accident can leak your email.
Email is not as private as you might think, even ones that brag about being private are not perfect.
What You Should Do Instead
Instead of making a new email account, you should make your master password longer.
You would be better off making your master password 10 characters longer than spending time making a new 10 character long email address.
Either way, you’ll need to remember 10 new characters, but at least the master password is meant to be private. The password manager service knows your email address, but they don’t know your master password.
Adding 2FA would also be more beneficial than creating a new email address as it’s meant to be private too.
You Could Miss Warnings
If you create a new email account just for your password manager, you’ll need to check that email account often.
One thing that password managers do is email you about specific alerts.
For example, if a new device logs in, you’ll get an email letting you know.
But if you create a new email account just for your password manager and don’t keep up with it, you run the risk of missing these critical alerts.
There was a trend about 10 years ago that many parents did that involved creating an email account in their child’s name so they would have it when they got older.
It was a clever idea, and many parents even wrote lovely letters to their children so they could read them one day.
The problem is that many parents never logged into the account for months, and once that happened, the account was deleted along with those memories.
If you’re creating an email account just for your password manager, how often are you going to be logging into that account?
Even worse is that some email providers allow anyone to re-register that email address after it expired due to inactivity. What’s scary about this is that you can delete your entire vault with just a simple email confirmation with most password managers.
What About Doing The (+) Email Trick?
Some email providers allow you to add something to your email address to give it a unique identifier.
For example, Gmail allows you to add a “+” to the end of your username to make it unique.
You could be extra clever and make the addon random like [email protected].
Those emails would make it to your regular email account, which is excellent and solves the inactivity problem discussed earlier.
But if you’re going the route to add an extra random bit to the email address, you would be better off adding it to your master password instead.
Your email address is not that private, but your master password is, and making it longer will always be the best thing you can do for your account.
Your Email Address Is Stored In Plaintext With The Password Manager Company
The real kicker is that your email address is stored in plaintext with your password manager account.
It needs to be in plaintext to be able to send you alerts about your account.
So if the password manager company is breached, your unique email address won’t do much to protect you. While on the other hand, making your master password longer would.
Avoid Email Forwarding Services
You should for sure avoid using an email address you get from an email forwarding service like AnonAddy, 33mail, or SimpleLogin.
I love these services, don’t get me wrong, but they are for sure not wise to use for your password manager’s email address.
These services put another layer between you and your password manager. If that service goes down or gets hacked, you’re kind of screwed.
As talked about earlier, most online password managers give you the option to delete your account with just an email. If any of those email forwarding services get hacked, the attacker could delete your account if they wanted to because they now control the email address.
You want as few middlemen between your password manager and your email account. You don’t want any delays or chances of someone deleting your account.
The same also holds true for any important accounts. You don’t want to use these email forwarding services for your bank or anything you consider important. These email forwarding services are for less important accounts or places you don’t want to give your email to.
Important vs. Non-Important
I don’t think you should create a new email account just for your password manager.
But if you have an email address for important things and another one for non-important things, then that is fine.
I would, of course, use the important email address for your password manager, but I would not go out of my way to make a whole new email address just for my password manager.
We all get junk mail, and having an email account just for junk and another one to keep the important stuff is more than acceptable.
The Wrong Email Address Can Lock You Out
I’ve seen people get locked out of their password manager because they forgot they used a new email address.
It drives them mad because they’re certain the master password is correct, and it is, but since they enter the wrong email address, they can’t get in.
Keep It Simple!
The biggest reason I push back on having a dedicated email address just for your password manager is that it adds unneeded complexity.
The common trend I see with many people getting a password manager is that they tend to supercharge everything and take it to the extreme. A sense of paranoia develops them and can often do them more harm than good.
It’s better to keep it simple, and making your master password just a few more characters longer is exponentially more beneficial than having another email address to remember.