96

Is this new, or have online accounts never offered the ability to update your email address easily?

you are viewing a single comment's thread
view the rest of the comments
[-] Showroom7561@lemmy.ca -3 points 10 months ago

Not really.

Someone would need to know what accounts you have (which are not stored on my email), then know the password to access them.

That's if they are able to bypass the 2fa I have set on each account that offers it.

And it's also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).

You need to have good security for all your accounts, and allowing a user to rotate email addresses between various websites, is as important as allowing me to update my password whenever I like.

Really, the inconvenience of not allowing me to change my own account far outweighs the unlikelihood that anyone would compromise my email address (hasn't happened in over 25 years, and that's with having at least a dozen different email addresses).

[-] 520@kbin.social 2 points 10 months ago* (last edited 10 months ago)

Someone would need to know what accounts you have (which are not stored on my email)

Aren't they?

Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.

Most services send you emails at least on registration.

then know the password to access them.

Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I've already compromised.

That’s if they are able to bypass the 2fa I have set on each account that offers it.

That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn't email.

And it’s also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).

You do realise the average person will never do this, right?

[-] Showroom7561@lemmy.ca 1 points 10 months ago

Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.

Yes, you can assume EVERYONE has a Google, Amazon, Facebook, or Reddit account, right?

But this is why I use different email addresses. You'd never be able to use one of my email address across services, so not having the ability to secure my own accounts makes no sense.

But I will say that having strong email security pretty much eliminates this hypothetical risk.

Most services send you emails at least on registration.

Delete those. Why keep them?

Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I’ve already compromised.

2FA prevents this.

I should be able to mitigate a website's weak security practices by being able to modify all aspects of my account.

That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn’t email.

I agree, and while I think that plenty of websites still have a long way to go, let the user do what they can to further secure their account... by rotating email addresses easily.

You do realise the average person will never do this, right?

They should. I don't think security-minded folks should have to suffer because other people don't care or don't know.

Plus, there are more services that offer very easy, one-click options for generating new email addresses per account. Anyone who cares enough would already know.

[-] Darkassassin07@lemmy.ca 1 points 10 months ago

I'd also note that often 2fa can be disabled with access to the registered email account. People lose shit, services have to offer recovery options. That's usually via email.

[-] biscuitswalrus@aussie.zone 1 points 10 months ago* (last edited 10 months ago)

There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see 'was this password used also on other accounts' and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it's safe to assume this will work sometimes. This is the essence of a credential stuffing attack.

https://www.abc.net.au/news/2024-01-19/what-is-credential-stuffing-scams-how-to-prevent-and-protect/103367570

https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688

I've used abc here since I believe they write better for a lay person.

Edit: I should mean to say, they can also create a profile of you and your many email addresses as demonstrated.

[-] Showroom7561@lemmy.ca 0 points 10 months ago

Those are full-blown attacks from hackers, so I'm sure they could profile you from bits of data across the net.

But if a layperson is using a different email per account, different username, a strong password, and 2fa, it's going to be very hard to infiltrate their accounts, or even associate one account from another.

Not giving people the option to change their email makes a hacker's job much easier!

[-] biscuitswalrus@aussie.zone 1 points 10 months ago* (last edited 10 months ago)

Now I'm not part of this, but a international student just got scammed $170 000 dollars over 3 months. They believed that the police had seized their Australian bank account and were contacting them related to their identity being stolen. It wasn't at the time of call, but the international student, maybe 25, was fully profiled. They knew where he studied, who they had been talking to. At the time of call, the poor kid thought he was talking to the police, gave every bit of information including bank account which had mfa, but undid it and and followed the scmmers requests believing he would be deported. He called home to his parents and asked them for more money even in order to build a new account because he believed is other one was frozen, the new account was under order and control of the scammer who this kid trusted. The scammer even made this kid move into a hotel for a week as their "premise needed to be searched" it wasn't for a month after this that it was found because the kid believed he couldn't tell anyone before the school (where he was attending but kept leaving to take calls which is a no no) had to tell the kid that absenteeism will result in the student visa being cancelled. At that point it all came out, month and more of being scammed.

My point is, no it's not business. Just look at the YouTubers, just watch Jim Browning. Just ask people, it's a multi billion dollar industry. And it's not limited to rules like 'business'.

[-] Ludrol@szmer.info 1 points 10 months ago

Not giving people the option to change their email makes a hacker's job much easier!

What?! How!?

Layperson uses same email, same username, same password and 2fa only if it is required for an account.

Anything more and they aren't the layperson anymore. They are security conscious that they use difffrent passwords or password manager.

Anything more and they become paranoid (rightfuly or not, it isn't for me to judge as there are jobs that require as much protection as possible)

When an email is compromised, changed and there isn't any footprint due to deletion of any suspicious activity then laypersons whole internet presence is compromised.

Emails will keep incoming into the same inbox when there is suspicious activity, if email can't be changed easily

[-] Showroom7561@lemmy.ca 1 points 10 months ago

Well, I'm not a security expert, yet I do thesr things.

Having a single email address for everything not only compromises your security, but it's a spam nightmare.

And having one email makes you an easier target compared to having one different email per account. It's just a numbers game.

A hacker or bad actor may gain access to one, but not all of your accounts.

Most people may not be as security savvy, but that's likely because companies don't really do much to encourage good security practice.

They lack 2fa, they use horrible "what's your mother's maiden name?" questions, and e-mail based account confirmation. I don't blame people for not hardening their accounts when they aren't even given good options to.

[-] 520@kbin.social 1 points 10 months ago

I literally am a security expert and the only thing I change between accounts is my password, which I put in a password manager.

With that said I do have other usernames/email addresses that I use if I'm doing something that I don't want attached to my public persona. These can also be stored in the password manager so all is still good.

But individual email addresses per account is overkill and a management nightmare, with a very minimal security tradeoff. I'm not exactly expecting a state sponsored attack on my email after all.

[-] Showroom7561@lemmy.ca 1 points 10 months ago

But individual email addresses per account is overkill and a management nightmare

Since I use a password manager, it's quite easy to manage, just like different passwords for each account. No difference.

But having different email addresses also help with reducing spam, so it's worth it just for that.

[-] 520@kbin.social 1 points 10 months ago

Since I use a password manager, it’s quite easy to manage, just like different passwords for each account. No difference.

Yeah, but for the actual mail, do you forward the emails to one address? Or do you set up Outlook/Thunderbird to sync all of them? Manually checking all of them would be quite laborious and you might miss the occasional important email if you don't check regularly.

[-] Showroom7561@lemmy.ca 1 points 10 months ago

Mail forwarding sucks. I stopped doing this a while ago.

My email provider handles my main email address (strong password + 2fa enabled), as well as generates temporary emails, and email aliases. Those get funnelled into my email clients, and can be disabled at will, so it's easy to manage.

Someone could even use a product like Firefox Relay if they don't have access to these features already, or want an easier way to do it. As long as the main email is protected, I don't see any major risks here.

For newsletters, they go to "kill the newsletter" and I get them in a self-hosted RSS service so they never enter my email stream.

My password manager also generates random usernames for websites that don't use email as a login.

My strategy as of late is to create a disposable, temporary password for a new site that I'm registering to. If I plan to use the account long-term, it gets an alias email (hence, one reason why it's handy to be able to easily update my email address) or the account is simply deleted. Yes, a little more work, but it saves my sanity in the long run.

I've been going through all my accounts created in the last 20+ years and either closing them (if possible) or changing the email on them (if possible). But I did move away from gmail something like two years ago, and I'm updating any accounts that are still sending email there.

"Contact customer service" to do this has been messy and frustrating, as it is when I have to contact customer service to close an account.

The most non-essential sites seem to be the worst offenders; roblox wanted my DRIVER'S LICENCE to close the account. I politely told them to fuck off and delete the account, which they did. LOL

this post was submitted on 21 Feb 2024
96 points (91.4% liked)

Mildly Infuriating

35771 readers
213 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 2 years ago
MODERATORS