As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):
- Don’t use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)
Here is a nice article with some e-mail forwarding providers to get you started
- Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won’t divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.
Some passvault suggestions:
- Passbolt (self hosted)
- Bitwarden (self hosted and hosted options)
- Vaultwarden (unlocked self hosted alternative to bitwarden)
These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.
Caution: The following requires that you have “Keychain” and “iCloud Mail” activated for your Apple ID, and are running iOS 15+, iPadOS 15+, and macOS Monterey+ on the applicable devices.
For macOS / iOS / iPadOS users you can use “Hide My Email” (aka “Sign in with Apple”) to have a randomly generated e-mail address used for sign-ups. Then you can have Keychain generate a random, strong, passcode for you to use on that particular website.
Note: If you see just an “e-mail” field on the sign-up page, and when you click in it you see a drop-down menu of your current Apple e-mail addresses, just scroll to the bottom of that list to get to “Hide My E-mail”.
After you’ve completed a sign-up on a website (not just federated, but any website) Apple will e-mail you the new e-mail address you generated and for which website is was used on. Store that in a safe place to easily keep track of what’s being used where. (You can also find them here: System > Apple ID > Hide My E-mail > Options…)
All of the above, the randomly generated e-mail addresses and passcodes for the websites, are automatically synced through iCloud to all of your devices signed into the account used to create them.
Note: The “Sign in with Apple” button is a bit weird. When you’ve used it on a website, then later go back and are asked to sign-in to your account, you’ll see the same “Sign in with Apple” button you saw originally. There’s no visual indicator on the page that you’ve used this feature before. It’s not until you select the button that the next screen will show you the e-mail address that was generated.
This is a good explanation of the feature for use with Lemmy.
I’m gonna be an annoying pedant for a second though and say that “hide my email” and “sign in with apple” are two different and unique features, though they both act as an email relay.
The former just creates a semi-random email address for you that forwards to your email. This address will end in “@icloud.com,” making it indistinguishable from any other iCloud email address (other than the ridiculous address you get).
The latter is an authentication system that allows you to sign up for services that support it with your apple account. The service doesn’t get your password directly of course, when you click the “sign in with apple” button it will redirect you to an apple sign in, typically faceID or touchID, and when you sign in successfully (or are already signed in to Apple) it will redirect back to the service with a token that says “this person is cool.”
Importantly for this conversation though, you can optionally send the service your real email or a generated email address as a relay, but the generated email is not the same as the email generated by “Hide my email,” instead it’s a clearly random series of characters and ends in “@privaterelay.appleid.com”.
In the end they have roughly the same purpose for your email, but the important bit here is that on Lemmy, only “hide my email” will be useful. There are no Lemmy instances that support “sign in with Apple” (yet).
Okay, I’ll stop being a pedant now. Sorry for being annoying there.
Thank you for the excellent clarification.