How to secure your online accounts using a domain name and Google Apps.


Recommended Posts

How many people here use a single email address for a handful of important websites?

If you use a single email for all of them, it could potentially be a single point of failure. If anyone ever got into your email account, they would be able (assuming they knew your log-in name, and sometimes your email address IS your log-in name) to send a password recovery email to the email account they just compromised thus gaining access to quite a few of your online accounts.

So how does a person manage multiple email accounts and still remember which email they gave to which account?

I'm going to suggest a way which will significantly simplify all of this. (No, it does not involve catch all)

The entire process starts with creating your own domain name. This is the only part that costs money, usually around $10 -$15 per year depending on the domain name you register, mine was $15. I would also recommend getting a domain name from a company which also masks / hides your "whois" information. When you register for your domain you have to give them an already existing email address. It would be preferred that this outside email address not be known simply by doing a whois on your domain. Some companies hide the information for free while others charge a few dollars to do so. The company I used was Hover, they did it for free.

Once you have your brand new domain name it's time to link it to a Google apps account.

https://www.google.com/a/cpanel/standard/

This allows you to register a Gmail email address with your domain name (Something@yourdomain.com). This will be your MASTER email address, the email address that you never give to anyone or any site.

Once you have your Gmail apps account setup, as well as your new Gmail email address, it's time to create some nicknames. Nicknames are other Gmail email addresses using your domain name which all point back to your primary Gmail email account. Google Apps only lets you have 30 of them. Because of this, it's not the only thing we will be using.

The other thing we will be using is the + feature of Gmail. Gmail lets you take any Gmail address, add a plus sign and turn it into it's own address.

Example. If your Gmail address was keyboard@typing.com you could give a website keyboard+keys@typing.com and any email sent to that address would arrive in the keyboard@typing.com inbox.

There is just one problem with this method. I call it the "reading between the lines" issue. it's not hard to look at that email address and see that the actual email address is keyboard@typing.com.

This is why we will be using the + in combination with a nickname(s)

Let's say we created the nickname retail@typing.com. All email sent to that nickname would be sent to our MASTER address keyboard@typing.com. Now let's say we are going to sign up for Amazon. We would give Amazon something like retail+amazon@typing.com.

The Master account is also where the address recovery links will be sent if we forget our Amazon password (or if someone is trying to get into our account). The email address we just gave Amazon tells the attacker NOTHING about what account the emails are actually going to, nor can they log in to any Gmail account using that address.

So let's create some nicknames. You can only create 30 so I would recommend just making some key category nicknames like, retail, forums, person, social, it's up to you.

1) First log into your Google dashboard by going to www.google.com/apps and logging in on the top right by clicking "Sign in". Type in your domain name and drop down the box on the right hand side and select "Domain Management"

2) Under "Your Users" click your name.

3) Towards the bottom of the page under the section labeled "Nicknames" click "Add a nickname". Type the name you wish to give it and at the very bottom of the page click "Save"

You can create up to 30 nicknames.

This is pretty much the end of the guide. Your new master email is configured and so are your nicknames. Just remember NEVER give your main email address to anyone or to any site. Give them a nickname address or nickname address with a plus sign special to just that site.

You should also turn on 2-factor authentication in your new Google apps account.

I would also recommend that you use some password management software like Roboform or Lastpass. Because you should already be using unique passwords for every website. This will also help you save the email address you created as the login for each account.

Link to comment
Share on other sites

This sounds so similar to what otherinbox used to do before they went and started integrating with the popular email services. I used to use them and create email addresses on the fly for sites I visited but didn't to have selling my info and it was easy to track too. For example, I used to use something like neowin@example.otherinbox.com and it would then put it in one of their folders with that name, then if Neowin sold my data (which I know they don't), then I would know based on the number of emails being sent by others using that name.

For a web client, I actually use Gmail as a spam filter first. Not as a domain app, but a simple forward of all mails to the main inbox on Google, then a set of filters that if it passed the test, send mail directly to the client. He saw a HUGE reduction in spam that way. A poorman's spam filter really. :)

With every cPanel hosting account, you always get a default catch-all account which is usually your cPanel username. This in turn sends 100% of oddball named emails like Neowin@example.com (assuming you owned example.com), would go to your catch-all if it didn't exist. This would in turn be filtered by SpamAssasin and the like. You can turn the catch-all off to prevent this from happening and cause a bounce to the sender, but it is an alternative of sorts.

post-160102-0-42760300-1347671152_thumb.

You can then set up a folder in your 'default' account email for each one you create, although it is more of a hassle to do so, it will work.

Interesting read though both on what you posted and on the site linked.

Link to comment
Share on other sites

or you can just use email+uniqueidentifierhere@gmail.com...

i would strongly advise using a catch-all address. I used to have one and it's incredibly useful, but the spam has really racked up recently. I'm in the process of moving everything onto pre-defined addresses so i can cancel my catch-all.

and there are better ways of dealing with password reset security using custom domains than what they suggest. it just takes some creative thinking about the actual problem to figure out.

Link to comment
Share on other sites

I already use catch-all with a subdomain rather than the primary domain. The problem is that one of the spammers got wind of companynamethatleakedmyinfo@subdomain.example.com and now I am getting spam to all made up addresses going to subdomain.example.com

so basically I can confirm that this theory goes NOT work.

I get 10s of thousands of spam in my catchall a day, all going into my spam folder in Google Apps, and my Google Apps has never been suspended. I use Google Apps Free. Google Apps only has limits on what YOU send http://support.googl...n&answer=166852

Link to comment
Share on other sites

I wish the big email providers (outlook/live, gmail etc) offered some 2 step authentication to beef up the security a little. Like having two passwords, or having a password and then a PIN number and have it ask for a few random characters from it.

If i'm being dumb and some of these sorts of features exist in outlook/live or gmail then tell me where to set them up.

I use LastPass to store all my passwords and I've just gone through it's settings to beef up the security a little. Only allowing logins from my home country and it supports Google Authenticator to produce 6 digit codes on my phone that need entered when you want to sign in. Should be reasonably secure.

Link to comment
Share on other sites

But having that level of authorisation means hassle.

I simply want to be able to log in from wherever and be done with it. Yes the option is nice but in practice, I don't see myself using it very often. The Visa check when making online purchases annoys me.

I have a fairly secure password and have learnt lessons in the past with secret question answers and such. Having a @customdomain.com is more difficult to get into anyway, as nobody knows if it's a fully fledged domain or just the domain name.

Plus, I use a forwarder anyway so my @customdomain.com address simply gets forwarded to another @gmail @outlook address anyway.

Link to comment
Share on other sites

But having that level of authorisation means hassle.

I simply want to be able to log in from wherever and be done with it. Yes the option is nice but in practice, I don't see myself using it very often. The Visa check when making online purchases annoys me.

I have a fairly secure password and have learnt lessons in the past with secret question answers and such. Having a @customdomain.com is more difficult to get into anyway, as nobody knows if it's a fully fledged domain or just the domain name.

Plus, I use a forwarder anyway so my @customdomain.com address simply gets forwarded to another @gmail @outlook address anyway.

you say having that level of security is a hassle but i think your way is a little ott for an average user to use.

basic 2 factor is the way to go for every one. we use it every day with our bank cards and pins don't we?

even if outlook/live send a SMS to a registered cell/mobile phone insted of having an app to produce the 6 digit pin

that would be a feature id like to see. facebook already have additional security to detect logins from unusual locations

and PayPal have been offering 2 factor as a choice for a while now.

Link to comment
Share on other sites

But having that level of authorisation means hassle.

I simply want to be able to log in from wherever and be done with it. Yes the option is nice but in practice, I don't see myself using it very often. The Visa check when making online purchases annoys me.

I have a fairly secure password and have learnt lessons in the past with secret question answers and such. Having a @customdomain.com is more difficult to get into anyway, as nobody knows if it's a fully fledged domain or just the domain name.

Plus, I use a forwarder anyway so my @customdomain.com address simply gets forwarded to another @gmail @outlook address anyway.

As far as website that give you a limited number of security questions to choose from, most of the answers which are easy to look up, do you lie on your security question answers?

Because if you don't, that makes it ready easy to bypass 2 factor.

Link to comment
Share on other sites

If i'm being dumb and some of these sorts of features exist in outlook/live or gmail then tell me where to set them up

you mention google authenticator - so I have to assume you would know that gmail has had 2 factor for quite some time - back in early 2011 I think

http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

But then you ask about it?

As to live, don't think they have it yet but yahoo introduced it a while back I do believe.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.