Password Security Mishap

The dreaded day has finally come.

I got an email from PayPal that my account password was changed. I raced to my computer attempted to login. No luck. I reset my e-mail account & password that was linked to PayPal first. Then after, I reset my PayPal password on my own. I contacted PayPal, we did another reset over the phone, reset security questions, added 2FA (I can’t believe I never added this). Even though they didn’t see any outgoing transactions, they did a device that was not mine that had logged in. They advised I change my credit cards and contact the bank. Did all that.

Now, I am doing something that I should have done years ago…properly utilize Watchtower in 1Password and go down every single account to see which one needs a password change, which needs 2FA, which should be deleted, etc.

I am almost tempted to be safe and just get a new e-mail address (custom domain) and have that linked only to financial accounts. But then I just need to figure out a best practice because, if you use say ‘’ as your main account. If you link those to financials (banks), does PayPal count? Should it be using that custom domain or the general email? Amazon? Social Media? Etc.

Anyone who has experience, I would really appreciate the feedback please.

1 Like

Father, please two factor security is now essential and if available should always be used, even for ‘silly’ sites. I think that is the most important thing. I wouldn’t change emails. For me doing so, it is my name, would be a big loss. Maybe though if I created a domain name it would be doable. Too many know my through my current one, I would lose something important for sure.
Others here are security savvy and even professionals really and I am not so they might give you better advice. Odd that you should be here, I am thinking of leaving the Church, just today I realized I was on the brink, we do have a few religous here though. Surprising number!


For this exact reason, I use one of gmail accounts and signed up Google Advance Program for critical use only, I do not use this email for other purpose

I wouldn’t stress about another email address, although obviously using a Gmail for mission-critical stuff is not preferred. Use the most secure 1Password random password Paypal will allow you, the most secure 1Password random password your email will allow you, turn on 2FA for Paypal and any other financial accounts (note: anything that can do a direct draft for an unlimited amount from your checking account is "a financial account for these purposes!), and call it good.

1 Like

I think it depends how you using your gmail account for. As I said earlier I am using one of gmail accounts and signed up Google Advance Program for critical use only, and nothing else. The Google Advance Program enforcing very stringent security safeguard and does not allow 3rd party email apps (except Apple Mail) to send and received email. This is the same program that Google provides for politicians and other celebrities


There are all sorts of considerations involved too. For example a business without its own domain name and just a .gmail address can look quite amateurish now. In my own opinion even a religious would be better to avoid it for general public use. I suppose you can use it for your own stuff as it were. I have found keepitng track of different emails though quite tiring and tricky. Any problems I have had to date have been straight forward thefts of my credit card details. One time I am quite sure I know the location where it was done.
Thanks for the heads up about that program though and I will certainly look at it and bear it in mind.

I don’t think it’s necessary if you use strong unique passwords everywhere, but if you want to even further increase your security you might consider using 1Password’s & Fastmail’s Masked Email:

I would argue it is. The problem with NOT using strong, unique passwords everywhere is that you then need to remember them. Most people will not remember different passwords for each site, but revert to using the same password in multiple places. This means that a breach in one of these sites may open you up for account take-over in any of the sites with a shared password.

If you are already using a password manager, there is little reason NOT to use it everywhere.

(That said, I am also guilty of being behind on mitigating actions from the security report of LastPass. Theory is so much simpler than real life…)

Multi factor authentication is a very good defence against compromised passwords, but it comes with some pretty big caveats too:

  1. It’s good but it’s not perfect and most definitely has limitations. I makes your password alone much less valuable to an adversary, but it does not protect you from a well crafted and determined phishing-type attack that tricks you into providing the second factor authentication.

  2. SMS based MFA is dangerously insecure.

  3. Before you turn MFA on for a service, be sure that you deeply and completely understand the recovery process for when your second factor becomes unavailable. This is incredibly important. There are few things worse than being locked out of a vital service because (for example) you upgraded your phone, erased the old one, and then realize that you need it to access your bank/email/everything. That is not the time to work out how to recover.


Those people won’t remember different (masked) email addresses for those sites either, I assume?

(So they need to start using a password manager either way)

1 Like

in general (may not be applicable in this case) if own domain name is preferred, Google Advance Program on Google Workspace is available

I own a domain, and use a different Mail-Address for every Service I use, also as a protection against Spam, as I could tell for sure the source where my address was leaked from, if I get Spam.
Those addresses don’t exist as a postbox, but are captured with a *-Function, and redirected to an existing “Collecting”-Postbox.
I also use a unique long password, that contains of a part I use for every website/service, and a part I “produce” out of the name of the Website/Service in a fix way.
So I end up with an individual combination of Mail-Adress and Password, that I could always “remember”.

Wow, this is some serious comittment - glad it’s working for you. I must say, this is probably one of the more extreme “power user” solutions I’ve come across :slight_smile:

I “developed” this for me over the last about 25 years.
First I had actually postboxes for every address, and I used only addresses for certain area, so I had a general “Advertising”-Address and so on. But when the possibilities with the capturing came up, I changed that, and it works very nice for me.
I even could advice occasionally companies about a security breach, if I get Spam with “their” Mail-Address.
And in Germany, there is a fine of (I think) up to 25.000€ for each case where personal data were sold without a permit, and I have unfortunately a couple of cases every year, where I could send the proof of that, towards the authorities. I use a draft for this, where I just have to insert the Spam-Mail, and 2-3 other specific informations.

1 Like

I’ve done similar with GMail…

Of course, an intelligent spammer could strip the +.

True, but it still prevents over 70% of attacks, so worth doing.

It won’t prevent someone who can use social engineering to get a duplicate SIM or convince you to divulge your one time code to a fake phishing site, but does prevent basic automated password attacks and requires more resources.


how do you even keep track of this? I am imagining all the services and accounts.

Yeah, I was actually going to expound on that a bit but then pressed “Reply” and didn’t think it worth going back to edit :slight_smile:

My thoughts are that if you’re someone who may be specifically targetted then SMS MFA can represent a serious decrease in security, especially if it’s used as a part of a password recovery mechanism. Normal, everyday people are probably better served by SMS than not using any MFA but I have to question the rest of the security posture of any organization that still uses it.


I don’t particularly track it, but it’s easy enough to do. Gmail effectively ignores everything after the + so you can make up meaningful email addresses on the fly. There’s no setting up of these addresses.

I use a password manager, so I don’t have to remember the email addresses I’ve assigned. There’s presumably a very minor increase in security too, as the login email is different from site to site. (Occasionally sites won’t allow + in email addresses, even though they’re valid).

If I received unsolicited email addressed to it would be easy enough to know the organisation responsible!