Email aliases — why a different address per service changes your breach exposure

Using the same email address for every account is the email equivalent of password reuse. When a service is breached and your email address is exposed, every other service you signed up for with that address is now associated with a known compromised account. Targeted phishing becomes easier. Cross-service account correlation becomes possible. Your primary email address — the one you use for recovery across many services — is now in attacker hands.

Email aliases solve this at a structural level: each service gets a different address, all forwarding to your real inbox. A breach on one service exposes only that alias, not your primary identity. You can disable the compromised alias; your other accounts are unaffected. This is not a theoretical benefit — it provides a different exposure profile than address reuse, just as unique passwords provide a different exposure profile than password reuse.

Only one password manager in this comparison has native email alias generation: Proton Pass, via its ownership of SimpleLogin. Other managers can be paired with standalone alias services. The integration question is about workflow friction: generating an alias at the point of signup versus using a separate tool.

The assumption 'aliases are only for privacy-conscious users with advanced threat models' undersells the practical utility. The primary benefit — breach compartmentalisation — applies to ordinary users who sign up for services that may be breached. A 2022 analysis of HaveIBeenPwned data found that most email addresses appeared in multiple breach databases. Alias use reduces the propagation of that exposure to other services.

A second assumption is that managing many different aliases creates unmanageable complexity. Alias management is the same as password management: you don't need to remember which alias belongs to which service, because the alias service keeps that record. The cognitive overhead is comparable to having a password manager manage your passwords — it is the tool's job, not yours.

A third assumption is that aliases are permanent and can't be changed. Most alias services allow disabling specific aliases (to stop spam from a compromised service) and creating new ones. The ability to disable an alias when a service starts sending spam is a practical benefit beyond breach compartmentalisation.

Proton Pass integrates SimpleLogin directly into the browser extension autofill flow: when the extension detects a signup form, it offers to generate a new SimpleLogin alias for that service. The alias is created, the email field is filled, and the alias is stored alongside the password in the vault entry. The workflow is: one click at signup creates a unique address permanently associated with that service. The alias forwards to your Proton Mail or any other email address you specify.

For users of other password managers: SimpleLogin (simplelogin.io), addy.io (formerly AnonAddy), and Fastmail's masked email all provide alias generation as standalone services. Bitwarden has integration settings for SimpleLogin and addy.io that surface alias creation from within the browser extension — not as seamless as the Proton Pass native integration, but significantly less friction than using a separate app or browser extension.

The alias service dependency is worth acknowledging: aliases forward to your real inbox via the alias service's infrastructure. If SimpleLogin changes pricing or terms, aliases need to be migrated. Proton's ownership of SimpleLogin reduces this risk; it doesn't eliminate it. Using an alias service provided by a company you already trust for your primary email provider is the most stable configuration.

Email aliases address the email address as a breach propagation vector. They do not address credential stuffing (where the attacker has the password, not just the email), phishing (where the attacker sends to the alias and it forwards), or account takeover via OAuth (where the email address is not the attack vector). Aliases are one layer of a defence-in-depth approach.