Simple login vs Proton Aliases: Pros and cons

Hi everyone!

I am retdoing my whole security and privacy strategy since i had a social media hack a few weeks ago.

I am setting everything up in a way that i hopefully won’t have to worry about privacy/security for the next 10 years.

I am debating wether to use a simple login alias for every single account i have, or to use a handful of Proton Aliases (there is a max of 15 allowed in the premium account vs unlimited in simplelogin).

They are both good ideas, however:

Concerns of simplelogin:

  • I just realized their databases are not encrypted. So in the event of someone gaining access to their servers, a hacker, their founders, an employee, or even a government, it would be possible to see exactly to which services i am registered, each of my crypto accounts, each of my social accounts, etc one by one.

Pros of SimpleLogin:

  • I can create a different login for every website, so if any website is ever compromised, that credential is completely useless anywhere else.

Concerns of ProtonMail:

  • There is a limit of 15 aliases, so i cannot use a new alias for each account.
  • My main account would be exposed as a target for hacking. As every alias in proton, can be used for log into the main account (though this is unlikely with 2FA). In Simplelogin, an alias can be used for nothing.

Pros of protonmail:

  • Full end to end encryption. Meaning founders, employees, governments, cannot read what is inside the mail account and therefore not know where i am registered. (unlike simplelogin)

A last strategy would be to do a mix: Simplelogin for majority of the accounts, and proton for the important accounts (crypto with KYC for example, and major socials). And for “less important” accounts keep the simple login.

So far i started doing everything with simplelogin, being forwarded to proton. But now i am thinking if wouldn’t be better off by just using proton directly.

Can someone tell me if i am missing any pros/cons to consider here? what would you do and why?

You can make a catchall address, then you can make unlimited aliases.

how do i do that? I will check it

I just checked but that seems to be for custom domains. I am just having a regular @proton account. And also i wonder if i can reply also to catch all addresses as seemingly coming from that catchall address (and not from my main account)

You should really get a personal domain.

Having your own domain allows you to freely switch e-mail provider, without losing all your addresses. Proton also have some issues with their domains getting flagged for spam, and it just over-all look more professional to have a personal domain.

Do you mean protonmail.com being flagged for spam?

A personal domain can be more proffessional, but it is also easier to identify you, am i wrong? i would assume simplelogin is more anonymous

Yes, protonmail.com is not the best domain to use. It’s not unusable, but it’s used for a lot of scams and similar activities, which is why it gets flagged.

You can use both catchall and SimpleLogin with a personal domain.

1 Like

If i would still be using simplelogin, what would be the point of having a personal domain then?

1 Like

As long as you enable 2FA and are not being targeted, being hacked shouldn’t be a that big of a concern. If you want to keep your Proton account really secure then don’t use any Proton aliases or give out your main address.

Their databases are not encrypted because they would be unable to show your data on the dashboard etc…

From their Privacy Policy:

‘The database backups are also encrypted. Most data are not encrypted while they live in our database (since it needs to be ready to send to you when you need it), but we go to great lengths to secure your data at rest.’

Plus on their Security page it also states:

‘Our database uses Postgresql to store and encrypt user data at rest and are backed up everyday. Backups older than 7 days are deleted. The database is only accessible from our mail and servers. Nobody but us has access to our database.’

You could also name your addresses something obscure like ‘Account123’ and have a corresponding entry in your password manager allowing you to know which accounts are which. As long as all your email addresses are random, no one will be able to know what service is linked with that email address purely from SimpleLogin’s database.

IMHO, I would use SimpleLogin for everything - if you really want you can use the method I suggested and name all of your aliases something like ‘Account123’. For Proton, if you want, you should use the aliases for important stuff like Banking, Crypto etc… and as long as you have a strong password, 2FA (A hardware key would be best), and a recovery method, you should be pretty safe from hacking, but, if you want to keep your Proton account secure, use SimpleLogin for everything. SimpleLogin uses Proton’s infrastructure which means, if you were to use a SimpleLogin alias for Banking it would be as reliable as using a Proton alias.

At the end of the day, it is all up to you. You should make sure you have some sort of threat-model or similar plan as privacy can become overwhelming if you don’t have some sort of plan in action; some people will be running from governments, while others just want Big Tech out of their business. As long as you are happy with it, that is all that matters :grinning:

1 Like

You could try https://njal.la! They register the domain for you, so none of your data is leaked to the domain name registration service. You can register through TOR, and they accept crypto, even XMR. I think that’s as private as buying a domain can get :slight_smile: They’re also recommended here: Techlore | Resources