Use A Unique, Secure Email Address Solely For Password Recovery

Use A Unique, Secure Email Address Solely For Password Recovery

Keeping your passwords safe can be tricky. Social engineering attacks make it easy for nefarious types to easily acquire access to your accounts. One way to lower the risk is to have a special email address solely for recovering passwords.

That idea is suggested by Mat Honan, the Wired writer who achieved infamy after having his accounts hacked earlier this year, explains the approach:

If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name-like m****[email protected] it can’t be easily guessed.

This is actually very easy to do and potentially requires no effort beyond creating an email account. If you never forget your passwords, you’ll never have to log in and check the account. If you ever do, it’s not a big deal. For more great tips, and a wonderfully thorough article that explains the problem with password security in-depth, check out the full post over at Wired.

Kill the Password: Why a String of Characters Can’t Protect Us Anymore [Wired]


  • I agree – passwords aren’t good enough anymore. Personally, I’d like to see portable biometric devices that interact with 1 or 2 other pieces of information, making it a 2 or 3-factor authentication process. Perhaps some kind of challenge-response mechanism that you can change at will. Whatever it is, it needs to happen soon.

  • Agree totally the system of email password recovery is “broken” and no longer enough. But creating a “recovery only” unique email has it’s own issues. Most sites I use require an email as part of registering, for them to communicate information to me, such as my order status etc.

    They use this same email for password recovery should the need arise. So in order to use the “unique” email for pw recovery… I’m also using it as my general contact/registration email. Which defeats the purpose of the original intent.

    For this system to work will require sites to capture two email addresses when registering. One for day-to-day general communications and another for password recovery only.

Show more comments

Log in to comment on this story!