I run into it all of the time, but don't understand business people who only have/use one email address for every thing.

To me not only is just ridiculous to mix your personal and business, but it's just a huge, gaping, security issue.
The same email for every single thing you sign up for, every newsletter, domain registration, hosting, banking, Google, your smart phone, every form you fill out both online and offline, every account you have...to me just makes you an easy target. Now hackers only need to guess one thing, your password...and it's also usually pretty easy to guess.

I try to counsel friends and clients to be a little more security conscious, but the prevailing attitude is "I just don't have time to keep up with 'all that'". Which just floors me as much as people say they want/expect better security.

What about you? Do you use at least more than one email address?
What other gaping security holes do you see people making every day?

Using email for exchanging information that should be secured such as credentials, personal information, etc. You could be using TLS to connect to your provider, your recipient(s) could be using TLS to connect to their provider(s), but no one knows or has any control over the intermediary relays - many of which don't use TLS for relaying mail.

Another things is businesses whose website is very important to them not using a web application firewall (strongly recommended if doing e-commerce, practically required if doing self-hosted e-commerce and can't perform complete code reviews on your site's code). I get hundreds of notifications a day from a managed WAF on just one site. About 70% are WordPress exploits (about half looking for SQL injection, most of the other half looking to take advantage of the permissions required for the auto update feature), 15% WYSIWYG exploits (such as CKeditor, TinyMCE, etc.), and the rest either non-specific or other platforms. A good managed WAF can take a lot of the stress of security updates away - though they still should be performed on a timely basis, most managed WAFs have the heuristics to deal with many types of 0-day exploits. When the patched Drupal version was released and CVE was published for the Drupalgeddon exploit, within an hour I was seeing tens of thousands of attempts per hour across the sites I host. None were updated at that point, but none of the attempts made it past the WAF.

Most people I deal with have terrible security habits. I use to try and tell people or make suggestions, but it's always the same...they think nothing will ever happen to them cause no one would bother "hacking" them. I get tired of talking to the wall.

The other thing is that most people use the word "hacking" to describe EVERYTHING.

I have one email that I use for personal communication and then one or two addresses associated with each site I run, including an old domain I only keep around for the email at this point. I use one email when I have a feeling it's going to be sold to a list. I don't use that address for anything else. One reason I never use webmail of any kind is because I have multiple emails. It's easier to pull them all into a client or app.

The other thing is that most people use the word "hacking" to describe EVERYTHING.

That's one of my biggest pet peeves.

Disabling a screensaver or unlocking a phone to post on someone else's Facebook is not a "hack". Making a process or set of processes used in everyday life more efficient is not a "hack". Accurately comparing rates between service providers for a particular usage scenario is not a "hack".


I use one email when I have a feeling it's going to be sold to a list.

I use email aliases that all go to the same place. It's amazing how fast you can get removed from a lot of lists that obtained your email in the same questionable manner if you notify one of them and that address has a unique identifier in it.

Probably not as well as I should. I have e-mail addresses available from my blogs, I have a personal e-mail address and a gmail address that I tend to give out when I think something is going to be on a list. I could do more, I imagine. I don't use the blog e-mail addresses as much as I should.

Thank y'all for this thread. I'm guilty for using my business email for my personal. Everything I learned about computers (which is practically nothing) I learned on my own. I barely understand how to use my computer and even less about the mystery of how email works. The reason I feel safe about it is because our computer people handle it and I've never had a problem.

However, I did hack a banana peel this morning and ate the banana inside.

I use a secure password generator and I usually generate long passwords. 16 characters or so. I keep them in a file on my pc. lately a word file, but it could be a txt file. And they are burried in their. I copy and paste passwords. I would think that that is safer because a keystroke virus can't really see that. That is purely speculation. I'm also on Linux so I'm less prone to hacking.

I have a bunch of emails. None are free emails. I don't use real info unless I have to. As most of you probably know Bill Benson is not my real name. I have other aka emails as well. I don't put accurate dates of birth etc either.I don't go way off, but the forum doesn't need to kinow my actual DOB.

Sometimes I use my real info out of necessity. But if I don't need to, I don't.

Also, some of you need to put your real info out their. You are selling yourself; a web designer for example. That's not my case, so I don't.

Password managers are all the rage and I really do not get it. Why is keeping the passwords that you use online...ONLINE, seen as some kind of solution? To me it's ridiculous.
Nothing that's out there makes any sense to me nor solves the real issue that the problem with passwords is that we lack the ability to create complex ones and remember them. And to date options for securing them are counter intuitive.

Because the password managers are securely encrypted. I'd rather store something in one and let it generate a more secure password than having to use passwords I can remember and are easier to guess and probably the same across many sites. Also a password manager doesn't automatically save things online. You have the option if you want your passwords to work across devices, but if you only need them on a single device, I don't think they ever go online.

I used to wonder why someone would get a password manager and then I bought 1Password. I not consider it one of the best products I've ever bought.

For a password manager, I use KeePass. I know how the passwords are stored, and I keep the file encrypted. That's a key thing for me - I must *know* how they are stored at rest and I must *know* how they are transmitted. I don't *know* those two things with the cloud password manager providers.