1. 25

I once lost access to a 15 year old google account and have also been geolocked out while traveling. Although the recovery emails didn’t help then, I still broadened my footprint and especially maintained emails on hosted domains. I see holes in this too, however. Is there anything foolproof?

I (and can’t decide which are worthwhile):

  • have registrar and web hosting (including email) through the same paid provider, and login with said hosted email?
  • have registrar and web hosting (including email) through the same paid provider, and login with an outside email (which you could also lose access to)
  • have registrar and web hosting (including email) through separate services, whose logins share a single email
  • have registrar and web hosting (including email) through separate services, whose logins use different emails

I also use various friends’ as recovery emails, their phone numbers as bank confirmation codes etc. in case I lose access to all of mine. (This has come in handy multiple times while traveling…) Having so many at the same time is tedious to manage and increases threat vectors as more services could be breached etc.

Better yet, how does everyone else handle this?

  1.  

    1. 10

      I feel this pain and wish we could anchor identity in something brick and mortar (government office, bank etc.) locally.

      1. 6

        The closest you can get to this is storing a yubikey or blockplate or slip of paper with some recovery password(s) written down in a safety deposit box.

        1.  

          Yes, I think printing out 1password is unavoidable.

      2.  

        I’ve often wondered why national post offices don’t offer email services. It seems like the obvious solution.

        1.  

          I would buy it and forward all my recovery e-mails there.

          I’m trying to make a list of all the 2FA in my life… and it’s a nightmare.

          The peace of mind of having a brick and mortar bank account is that even if I lose everything, if I go there and prove that I am who I am, I can always access my money. If something happens to me, my kids get it by default. Laws are nice.

        2.  

          Sweden’s Posten did try, in the mid to late 90s, but it’s didn’t go anywhere.

          There’s a service called Kivra (and maybe more) where you can get a “mailbox” for official communications, like from government offices and a lot of companies. The box is authenticated with the electronic ID we have here, and I’m sure there’s delivery gaurantees etc. that SMTP lacks.

        3.  

          France doss I think

    2. 8

      As someone who also hosts his own email, separating registrar and hoster, I’d suggest you use a registrar and web/email hosting through different providers with different emails, plus configure a fallback email/login using a reliable mail provider (Posteo, Proton Mail, Tutanota, …), one where you are not the product.

    3. 5

      For me, as much separation as possible between those services, and as much self-hosted as I can. My current setup:

      • I receive mail at 4 different domains
      • I have 3 different registrars for those domains
      • I host my own mail server for 3 of those domains, and subscribe to a paid mail hosting provider for the 4th
      • 2 of those domains have a website, which I host on VPS that I subscribe to

      This kind of setup requires a bit of time, and especially periodic offsite backup and recovery exercises, but it feels reasonably safe against the threat of a single provider (domain, DNS, mail or website) banning my account for whatever pretext they could invent on the day.

    4.  

      I host my own e-mail server/domain. Domains are registered with a business account at a large registrar, either registered and pre-payed for many years or with auto-renewal on and allocated budget or permission to deduct from my bank-account. Domains are registrar-locked. Server hosting the mailserver is at a large VPS provider I’ve been with for 15 years DNS was self-hosted for a long time, but now at luadns.net Mail-domain is in my country’s ccTLD, which I mostly trust to not f*-this up. Everything has a seperate account/mailbox/password, passwords are kept in a locally hosted password-manager.

      I know one thing… If I die, no-one is ever getting to these accounts and all my stuff will probably die with me. I am planning on offloading some projects to co-owned accounts/organisations.

    5.  

      I’ve wondered about this for other people, and the only thing I’ve come up with as a universal must-do is to not use a free, throwaway email account like Gmail, Hotmail, Outlook, et cetera, as your primary access & recovery method. When those accounts go away - whether by accident or by malicious attack - people come to me and ask what to do. Of course, tons of people say, “that’s never happened to me, so why worry about it?”, but that’s like saying that seatbelts aren’t necessary because they’ve never been in an accident where they’d saved their life. You don’t wait for it to happen.

      I tell people to not trust important things to any supposedly “free” service all the time, but only after problems do they care to listen. Then I have to explain the reality: there is no reasonable way to contact the “free” service and communicate with an actual human, and because of that, they’re likely going to spend hours and hours on the phone with various companies to reset accounts manually.

      So what do I recommend? Keep registrar and hosting separate. Keep email and hosting separate, at least for email accounts used to manage registrar and hosting accounts. Definitely keep registrar and email separate! Use an email address of a reputable service that you actually pay (Proton Mail, for example). If you self host and have friends who also self host, then create reciprocal accounts.

      Or, if nothing else, know the account reset policies of your domain registrar. Some allow you to set a preference for how your account can be reset if you lose access to your email.

      Personally, I use Porkbun for domain registration because they have actual humans with whom I can communicate. I host my own email but use two different domains, one not on Porkbun, for account emails. Between multiple servers for DNS and for email, any single registrar or colocation provider could disappear, and I’d still be fine. Granted, my situation isn’t common, but perhaps others on Lobste.rs are self hosting, too, and should consider what it’d mean to lose access to things.

      Having had a colo company go out of business and my equipment with them go offline with no notice, I’ve thought about things like this often.

    6.  

      I use fastmail with amazon and old iCloud (dot “me”) address. The dot me address has been proven “golden” when I need to share my email via phone. The spelling is very easy to do <username> _at_ me dot com. The registrar is AWS Route53. However, AWS and Apple are SPoF - is it worth spending more time on this though? I don’t use heavily either, part of the reason is to avoid issues.

    7.  

      TLDR: Fastmail, with a separate registrar and a seprate VPS provider. (I use IWantMyName and DigitalOcean). But I don’t know what the implication while travelling looks like.

      My set up is:

      • Registrar: IWantMyName, with domains pointed to DigitalOcean nameservers. I have also heard good things about Porkbun.

      • VPS: DigitalOcean, because I host a site for all my domains, including email. (Most of these domains are all on the same VPS, which is easy to set up with Caddy.)

      • Email: FastMail. I’ve been very happily using Fastmail for over two years now. For their $5/mo plan, I get unlimited [email protected], after some simple set up, for all of my domains. This makes it easy to track when I get spam (e.g. I’ll purchase with an email like [email protected]. I prefer it over Tuta/Proton– the email is not E2EE, which makes things more convenient, and they don’t sell your email data. (You also get CardDAV and CalDAV, a protocol which iOS supports natively, syncing calendars, contacts, and reminders.)

    8.  

      I personally use two different and reputable-trustworthy-non-bigtech e-mail providers (Proton Mail and Mailbox.org), I receive email at 4 different domains and 2 other domains for email aliases. I also keep two different registrars. The emails are distributed between Proton and Mailbox.org, and the recovery account from one email provider/registrar always point to the the account in the other email provider/registrar. I also have 2 other domains used mostly for aliases (Simplelogin), so I can keep track of data leaks / spam control for online shopping.

      It’s a perfect solution: no, but it works fine for my use case and threat model. I also use Nitrokey, with a Yubikey as backup (just add a security layer). The most important thing here: I never trust free email providers and bigtechs, I want to be a real customer, not a product.

    9.  

      I use a custom domain for my email. I view this custom domain as my main liability, I’ve picked a registrar I view as relatively stable and basically exclusively use my GMail account to log into this registrar (as well as passkeys and other 2fa recovery methods). My email is with Migadu currently. Again, low frills, stable, but if I got locked out I could just change where the MX records point and continue getting recovery emails. Emails are backed up locally.

    10.  

      I self host my email, web sites and DNS [1] on a dedicated VM from a small company where I know the owner. I only use the registrar to register my domains. I also do NOT set up auto-pay, nor do I pay for more than a year in a advance—I don’t want to forget to pay nor have an issue with my payment scheme if I were to use autopay. I know when my domains (only a handful) are due to expire and expect email notification when they do. I’ve been doing it this say for over 20 years an no issues so far.

      [1] Basically, the public DNS servers listed for my domains slave off my server, so I can make any changes I want. I have four public DNS servers listed on different networks and domains.