Your email address is not a username. It’s a fingerprint.

Unlike a password, you can’t rotate it. Unlike a username, it follows you across systems, survives account deletions, and persists in breach databases long after you’ve forgotten you ever signed up. Hand it to enough services and it becomes the thread that ties your entire digital life together, quietly, invisibly, until someone pulls it.

Most people treat email like a mailing address: something you give out freely because that’s just how it works. It isn’t. It’s a persistent, irrevocable identifier that you’re voluntarily handing to strangers, and the only question is how many of them will eventually misuse it.

This isn’t about paranoia. It’s about blast radius.

when it leaks#

Data breaches are not exceptional events. They are background noise. Billions of records have been exposed across thousands of breaches: credentials, phone numbers, physical addresses, purchase histories. The question isn’t whether your email address has appeared in a breach. It almost certainly has. The question is what happens next.

If you’ve used a single email address across your digital life, the same one for your bank, your Reddit account, that forum you joined in 2014, your streaming services, your work tools, then a breach at any one of those services hands an adversary something far more valuable than a leaked password. It hands them a starting point.

And starting points are leverage.

the playbook#

An adversary doesn’t need to be sophisticated. They don’t need state resources or zero-days. They need your email address, a few free tools, and patience. What follows is mechanical.

Your email goes into Have I Been Pwned. Immediately they know every breach you’re in: which services you’ve used, when, and what data was exposed. Cross-referencing those breaches reveals old passwords, associated usernames, phone numbers, and in some cases physical addresses.

The usernames go into search. You used the same handle on Reddit, a gaming forum, a photography community. Now they have your interests, your writing patterns, your social connections, your location. Things you never thought of as sensitive because you shared them casually, in contexts that felt safe at the time.

The phone number goes into reverse lookup services. The old passwords get tried against your current accounts through credential stuffing: automated, fast, cheap. No 2FA means no speed bump. Even with 2FA, if they’ve already got enough context, SIM swapping becomes an option.

Each confirmed data point opens a new branch. The graph grows. What started as a name in a leaked database becomes a detailed profile: your habits, your relationships, your financial footprint, your physical movements. This is OSINT. It is not exotic. It is a discipline with documented methodology, freely available tooling, and a very low barrier to entry.

You didn’t get hacked. You got correlated.

the real problem#

The breach itself is not the failure. Breaches happen. Companies you trusted made poor decisions, cut corners on security, got hit by adversaries better resourced than their defences. You had no control over that.

The failure is centralisation. One email address, used consistently, created a map. Every service you handed it to became a node on that map. An adversary with your email address doesn’t need to compromise you directly. They just need to find the weakest node, pull the thread, and follow it.

This is the case for a different approach. Not disappearing. Not operational perfection. Just denying the starting point, or at minimum, ensuring that when one node burns, the graph stops there.

That’s what this guide is about.

a strategy for identity decentralisation#

The goal is not anonymity. It is containment.

Anonymity is a full-time job with diminishing returns for most people. Containment is achievable, sustainable, and directly addresses the threat we just described. If an adversary gets a foothold, a breach, a leaked alias, a compromised account, containment means they get that one node and nothing else. The graph stops. Lateral movement becomes a dead end.

This requires a shift in how you think about identity online. Not as a single persistent self that moves through digital spaces, but as a set of compartments. Each one bounded, each one expendable, none of them connected in ways an adversary can follow.

the crown jewel#

Your real email address, the one attached to your primary inbox, the one your closest contacts know, never gets disclosed. Not to services, not to vendors, not to platforms. It exists, it receives, but it is never the identifier you hand out.

This is non-negotiable. Everything else in this strategy depends on it.

If your primary inbox is ever directly associated with an external service, you’ve created exactly the centralisation we’re trying to avoid. One breach at that service, one data sale, one scrape, and your crown jewel is in the wild.

the aliasing layer#

Every service, every platform, every vendor gets a unique alias. Not a shared alias, not a category alias. A unique one. One service, one address.

This does two things. First, it makes you invisible at the inbox level. No service ever knows where their mail actually lands. Second, it turns every piece of spam or phishing into a signal. If an alias you created specifically for one service starts receiving unsolicited mail, you know exactly where it came from. You burn the alias, create a new one, and you’ve contained the breach to a single node.

The aliasing layer sits between the world and your inbox. It is the thing that gets exposed so your real address never has to be.

compartmentalisation by risk tier#

Not all services carry the same risk, and not all of them require the same level of separation. I think about identity in two tiers.

The first tier is known-identity services: utilities, banks, government, insurance, your phone carrier. These entities know who you are. That’s unavoidable and in most cases legally required. But knowing who you are does not mean they need your real email address. Each of these services gets a manually created alias on a domain I control, acting as the unique identifier for that relationship. If any one of them is breached, the alias burns. Nothing else moves.

The second tier is pseudonymous services: platforms, subscriptions, tools, ad-hoc signups, the receipt at a store, the booking platform you’ll use once, the wall that won’t let you through without an email. These get unique aliases through an independent aliasing provider. I don’t always track these, and if an alias becomes a spam magnet I burn it without affecting anything in tier one.

The architecture below maps this out:

Identity decentralisation architecture

decentralising across providers#

The aliasing layer and the inbox layer must not be owned by the same entity. This is the architectural principle that most people miss, and that some providers are quietly eroding.

If your email provider also controls your aliases, a single provider compromise, policy change, account suspension, or acquisition collapses both layers simultaneously. You lose your inbox and your aliasing infrastructure at the same time. The separation that was supposed to protect you no longer exists.

I use Tuta as my primary inbox and alias domain host for tier one services. I use Addy.io as an independent aliasing layer for everything else. They are separate providers, separate accounts, separate points of failure. One going down or getting compromised does not take the other with it.

The Proton ecosystem is a good example of why this matters. Proton acquired SimpleLogin, one of the most widely used email aliasing services. If you use Proton Mail as your inbox and SimpleLogin as your aliasing layer, you no longer have two independent layers. You have one provider with two interfaces. That’s not decentralisation. That’s the illusion of it.

Choose your inbox provider and your aliasing provider independently. Treat that separation as a hard requirement, not a preference.

the operational layer#

None of this is sustainable without two things: a password manager and a second factor on every account that matters.

The alias strategy means you are managing dozens, eventually hundreds, of unique identifiers. Each tied to a unique strong password, each ideally protected by a second factor. No human can hold that in their head. The password manager is not a convenience. It is a structural requirement of this architecture.

The same logic applies to 2FA. An alias protects your identity at the address level. A unique password protects the account at the credential level. A second factor is what stands between an adversary and your account when both of those have somehow failed: breach, phishing, credential stuffing. It is the last line, and it needs to be there.

Together, these are not add-ons to the identity strategy. They are what makes it operational.

what this looks like in practice#

When I encounter a new service, any signup, any vendor, any platform, the decision tree is automatic. What tier is this? What domain am I using? I open my aliasing provider, create a unique address, drop it into my password manager alongside a generated password, set up 2FA if the service supports it, and move on. The whole thing takes ninety seconds.

That ninety seconds is the entire cost of the discipline. After the initial setup, it becomes invisible: a reflex, not a task. The protection it provides compounds quietly in the background, breach after breach, without requiring anything further from me.

This is the middle ground between outcome and cost. Not perfect. Not the deepest the rabbit hole goes. But sustainable, and aligned with my actual threat model and daily routine.

the discipline, not the destination#

This isn’t a setup you complete once and forget. It’s a habit you build until it becomes reflex: ninety seconds at the moment of every new account, a burned alias when something goes wrong, a password manager entry that means you never have to think about that credential again.

It will never be perfect. Aliases get exposed. Services get breached. Providers get acquired. The threat model shifts. What you’re building isn’t an impenetrable wall. It’s a system with a small blast radius. When something breaks, and something will, the damage stays contained. One node burns. Nothing else moves.

Don’t be afraid to tinker. Try a different aliasing provider. Restructure your tiers. Break something and rebuild it. That’s not failure. That’s how the system becomes yours. That’s how ninety seconds of friction becomes muscle memory. That’s how you stop thinking about it as a burden and start experiencing it as fluency.

Because here’s what’s actually happening when you do this work: you’re building the convenience that the surveillance economy would otherwise hand you for free, in exchange for everything. Big Tech’s offer has always been frictionless experience in return for your data, your habits, your attention, your autonomy. This is you deciding that bargain isn’t worth it, and building your own frictionless experience on your own terms.

That’s the bargain. Not zero risk. Controlled risk, at a cost you can actually sustain. And sovereignty you actually own.

The rabbit hole goes deeper. Hardware keys, air-gapped devices, jurisdictional considerations for your providers. Some of that will make sense for your threat model. Some of it won’t. Start here. Build the habit. The rest follows naturally, if and when you need it.