I may be on the extreme, but I use hundreds of different E-mail addresses. Since I have whole domains where every address forwards to me (or to my spam filters) I actually have an uncountable number of addresses, but I also have a very large number of real ones I use. That’s because I generate a new address for every web site I enter an E-mail address on. It lets me know who sells or loses my address, and lets me cut off or add filtering to mail from any party. (By the way, most companies are very good, and really don’t sell your E-mail.)
As I said, I’m on the extreme, but lots of people have at least a handful of addresses. They have personal ones and work ones. They have addresses given by ISPs, and ones from gmail, hotmail and the like. But I regularly run into sites that assume that you have only one.
One of the worst behaviours is when I mail customer service. That mail comes from my current “private” address. It’s an unfiltered address that only goes out in E-mails to people I mail, and so replies always work. But they usually write back “You must send mail from the E-mail address in our records.” Even when I have told them my account number or other such information. And in fact, even when I tell them what the E-mail address is, they insist it be in the “From” line.
With most E-mail clients, I can indeed put any address in the From line I want, including yours or any of mine. So this is a pointless form of security. Their software has been written to key off this, and won’t let their agents identify the user another way. Unfortunately some mail agents that I use on the road don’t make it easy to enter an arbitrary From, so this is a pain.
Another problem is contact databases and social networks. LinkedIn likes you to know the E-mail address of somebody you are contacting in advance. But which one did they use with LinkedIn? And which one have I used? The address I have registered with some of these sites is not the one you use to mail me, so I can direct that mail. So if you use their systems to check for people in your contact list, you won’t find me, and I may not find you. Not that there’s an easily solution to this, but they haven’t even really tried.
Now as I said, I create these emails on the fly, and from reading them, I can tell what site they are for. But that doesn’t mean I can remember what I created after the fact. Sadly, many sites are also demanding you log in using “your E-mail address” rather than a userid that you pick. While this assures that IDs are unique, it’s also not hard to come up with a unique ID to use that’s not an E-mail and can be the same over all the sites you wish it to be. Sometimes to log in or do certain functions, I have to remember what E-mail I generated for them. (If I can get them to mail me something, I can solve that.)
Of course, many of them will mail me my password. Which is hugely, terribly wrong. No site should be able to E-mail you your password, because that means they are storing it. They should at best be able to reset your password and send you an E-mail which will let you log in and create a new password. While you should keep unique passwords for sites where real damage can be done (like banks) most people keep common passwords for sites where compromise of your “account” is not particularly bothersome. But if sites store it, it means they all are getting access to all the rest, if they wish to, or if they are compromised. I wrote this blog post to give people something to point at when sites expect you to have just one E-mail. I probably need another to point sites at when they are storing my password and will mail it to me. (Especially ones that say they dare not send you messages by E-mail because it is not secure, but which will send you your password by E-mail.)