Doesn't this subaddress all just resolve to the same account? The accounts are free, so just make up a completely different account. Yeah, it might get a bit of a mess for a user to manage, but that's what password managers are for.
let's face it, we're not talking about Joey Beercan doing this. Anyone even tossing around the term SecOps is already moved out of mass populace and into the somewhat informed. Someone practicing SecOps would definitely be the type to use some sort of credentials management. So I don't think unique totally unrelated emails is too much of a burden. Using different free email providers is even better.
It depends on the underlying email server. But strictly speaking, the "+" is a valid identifier, and "joe+admin@example.com" is a completely different address than "joe@example.com".
It just so happens that email servers tend to recognize the usage of "+" as a "tag" and route incoming mail using the tag to the root email that precedes the plus and tag.
But, as the sender, you cannot assume that this is always the behavior. You must assume that those are two different emails.
I use periods and they work fine like for exampl.e@gmail.com or e.xampl.e@gmail.com which surprisingly resolves to my main email and I’ll block spam from any sender spamming that period address. Anyone know why this works?
Gmail accounts aren't free: I believe they only allow up to 4 to be linked to the same phone number (which is mandatory).
Microsoft is worse: they'll let you create an account, then lock it the next day, after you've already used it for something, if you don't link your phone number.
Phone number is used because it costs money to get, is hard to get in bulk, and in many countries is always tied to your identity.
I wonder what the market for throwaway phone number verification is worth.
It is still possible to register Gmail accounts without a phone number. I suppose they primarily use IP reputation to determine when they allow it but device seems to matter too.
In the past you could use BlueStacks android emulator to register Gmail accounts without sms verification even with VPN IPs. This year I've created a few Gmails without sms verification, once on desktop chrome (with Firefox they would've required sms) and a couple of times using the Gmail app on an Android phone.
There are several cheap (not free) email providers that allow you to create unique emails per service for this precise purpose, and do not require a phone number, however they are lacking significantly in every other way, like an easy to use inbox, so not great for your main contact.
One I tested out I found to be good for these random sites that want emails as your username. Then I set the custom email to forward the mail thereby maintaining unique usernames on each site. If the site does not use an email for the username and does not make the provided email public, you could use your regular email with the handy features that come with a Google/Microsoft suite, or air on the side of caution by still having the unique email.
> I wonder what the market for throwaway phone number verification is worth.
I pondered this recently, and it seems to top out at a couple bucks per shot.
The problem is that the phone number tends to need to be persistent for the sake of security. You can't typically sign up for something that requires a phone number and then expect to be able to keep the account safe without maintaining exclusive access to that number.
I'm sure if it were cost effective, one of the password managers would have some kind of SMS integration, like Apple's hide my email, but for phone numbers.
If you're the kind of person who doesn't want to provide their own phone number to make an account, you probably also wouldn't be using any account long-term.
That’s not true. None of my Gmail accounts have a phone number, and I’ve used them for their discrete purposes continuously since their creation. I doubt I’m the edge case
You claim OpSec, but if you’re using such bad opsec, then I’d suggest you’re not actually doing opsec. Tying a throw away account to actual data that can directly identify you is just such bad opsec, you might as well use your actual name as your user name.
Opsec can be a relative term. Yes, some people are selling drugs or spying for the Russian government but other people just don't want to be OSINTed by scripts like this. Then creating a new Gmail account from the same IP address is enough. It's a lot easier to hide your identity from people who don't have the power to issue subpoenas.
I think his point was that he wasn't looking to be totally invisible. Just less obvious to people who won't spend a pile of time looking for you.
If you're adding your phone number to a throw away account you use on Target or Walmart, it's likely okay.
The IP comment was likely because if someone can get your phone number from the Walmart service (via subpoena), to track you down, they can also get your IP address too.
> Doesn't this subaddress all just resolve to the same account?
Not in OAuth/OIDC compliant identity providers. As one example, I frequently use + email addresses for testing on auth0-secured apps, where I use the + text to tag a role or some other user attribute that identifies what makes the test account special. eg stult+admin-staging@example.com or stult+user-declined-gdpr-prod@example.com. Each plus variant resolves to its own separate account with its own password (which I do in fact manage via a credential manager), without requiring me to set up multiple full email addresses to simulate multiple users with verified email addresses.
let's face it, we're not talking about Joey Beercan doing this. Anyone even tossing around the term SecOps is already moved out of mass populace and into the somewhat informed. Someone practicing SecOps would definitely be the type to use some sort of credentials management. So I don't think unique totally unrelated emails is too much of a burden. Using different free email providers is even better.