ItsGeekToMe.co

Q: I use a password manager (NordPass) that helps with my sign-ins. It works pretty well. Apparently, I can also create temporary passwords so that my primary is not visible. I haven’t done that yet, but some of the spam I’m getting looks like the emails are similar to those temporary passwords — lots of gobbledygook that doesn’t seem legitimate. I would like to filter the senders into my Trash folder, but if the passwords can be changed at the sender’s whim, it seems as if my filtering would not be very effective. Any clues or advice?

 – Morris F.
Navarre, Florida

A:  Well now, Morris, you have hit on a topic that sits right at the intersection of great security and absolute mass confusion. It sounds like you are mixing up two very different types of cybersecurity “shields.” Let’s untangle this ball of yarn so you can get your inbox under control.

First, we need to clear up a minor misunderstanding about what your password manager is doing. You mentioned creating “temporary passwords so that my primary is not visible.” In the world of password managers like NordPass, you don’t actually have a single “primary” password that you hide from websites. Instead, a password manager is designed to create a completely unique, randomized password for every single website you visit. If you have 50 different accounts, it will create 50 different passwords for you. They look like complete gobbledygook – a random string of letters, numbers, and symbols – but they aren’t temporary. They are permanent until you decide to change them.  Some password managers even have the ability to change them automatically on a regular basis.

The important point to understand here is that a website never changes your password on a whim. The only entity that can change your password is you, or, worst case scenario, a hacker who has breached your account. Now, let’s separate the stuff I said that you’re mixing up.  These passwords are used by you to log into a website.  As such, they have absolutely nothing to do with the emails hitting your inbox. A sender cannot “change your password” to send you spam. What you are seeing in your inbox is a completely different type of threat known as Email Masking.

Many modern privacy tools and password managers offer this feature, also called hidden emails.  Instead of giving a website your real email address (like JohnDoe@gmail.com), the software generates a fake, randomized forwarding address (like x7z9qp2@nordpass.com or a random outlook alias). When the website sends an email to that gobbledygook address, it goes to a server managed by your security provider, which in-turn automatically forwards it to your real inbox. If a website gets hacked or sells your data, the only thing that spammers get hold of is that specific gobbledygook email address. When they send you spam, it bypasses your filters because it was sent to a valid alias that you created. The good news is that this actually gives you more power over your filters, not less. The sender only knows the gobbledygook email they bought on the dark web, so you hold all the cards.

Here is how you handle it:

• Turn off the alias: If you used an email masking tool, open your privacy dashboard and simply delete or deactivate that specific masked address. The spammer will immediately get a “delivery failure” bounce back.  They will remove that address from their sucker list, and you will never see their garbage again.
• Filter by the “To” field: If you cannot delete the alias, do not filter by the spammer’s “From” address. They change their names constantly. Instead, set up an email rule in your provider (like Outlook, Gmail, or Yahoo) that targets the To: field. The rule should say: “If an email is sent To gobbledygook@address.com, send it straight to the Trash.” 
• Check for data breaches: If you haven’t even started using temporary masks yet and you are seeing these emails, your real email address has likely been leaked on the Dark Web. Spammers use automated bots to send emails filled with gibberish text to bypass automated spam filters.

If you want to step up your inbox defense game, go ahead and start using those randomized features in your password manager! Just remember: use random passwords for your logins, and use random email aliases for your subscriptions.

---

To view additional content, comment on articles, or submit a question of your own, visit my website at ItsGeekToMe.co (not .com!)