by

What's in an email address?

PasswordThere has been much debate recently about the value of email when compared to Instant Messengers and Social Media. I’m not going to reinvigorate that debate here, but the whole passionate brouhaha has got me thinking about what it means to actually have an email address and how important that short string of text has become.

Two words spring immediately to mind when I think about what is actually in an email address, those words describe a process that has quite a profound affect on you as a users of Internet services. Those words are;

           “Password reset”

Your email address, whether given to you by your employer, your ISP (remember CompuServe?), or chosen by your own fair hand seeks to identify you. In many cases an email address is your name, or part thereof, and is generally recognizable unless you’ve taken steps to make it less so.

I have an incomplete thought about this identity; we take this identity for granted, we assume that this identity is true, and we generally don’t question the legitimacy of an email address or the identity of the supposed sender. This of course is exploited fantastically well by malicious senders who are attempting to dupe us out of our financial information or login credentials. As a former penetration tester I can tell you that I’ve always had 100% success with email-based attacks sent from addresses that ‘claim’ to be from someone they’re not, especially if the sender demonstrates a little knowledge of the recipient or subject at task.

But, and here’s the paradox; we understand social engineering and phishing very well, yet we still treat an email address as an identity don’t we?

Often this identity is all you need to carry out that password reset; gain control of an email address or account and you have instant access to a mind-boggling array of personal accounts and information. Often the ‘forgotten password’ link simply asks you for your address, sometimes you may be prompted for more information – ‘mothers maiden name,’ ‘place of birth,’ ‘month of birth’ etc – social media anyone? Some sites even ask you for ludicrous validators like “your preferred internet password.”

I expect that just supplying an email address to a website to request a password reset is a shortcut on that website’s part, they could do more but probably don’t want to over complicate things for you. This is a fantastically naive expectation of identity on a simple, string of text. I suppose the expectation is that the recipient hasn’t had their email account compromised, but no website I’ve ever used has asked that question.

Culturally an email address now makes up a significant part of you identity, in some cases it is 100% you. I suspect without the casual and formal asynchronous subject centric communications currently known as email (to coin a phrase of our CTO) you will find you lose a little of your identity, even if you can no longer reset your <insert website of choice here> password.