January 2, 2026
Episode summary
I believe your email account should only be for email. Instead, most free email providers turn your email account into an account for all their services.
Google is probably the worst for this. Your Gmail account is actually a Google account that gives you access to Google Docs, Google Drive, Google Photos, Google Chat, YouTube, and much more.
On top of that, many websites allow you to "Log in with Gmail." This expands even further the number of accounts that are directly connected to your email account.
Taken all together, this is a security nightmare. Email accounts are already enough of a master key to your online identity, just through their ability to reset forgotten passwords.
All these accounts being tied to your email also means a lot more opportunities for you to get caught in a phishing attack - because you’re entering your email password not just to access your email, but to access all sorts of other services as well.
LinksMark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to Super Simple Security Principles, where you learn how to think about online security, not just which apps to install.
I'm Nick Jackson, here to learn along with you from my good buddy and master guardian, Makani Mason.
Woo!
This is episode 96, why your email account should be only for email.
(00:30):
I like it.
Why your email account should only be for email.
Sounds so much simpler.
Yeah, I wasn't sure if that's going to be clear what I was talking about, so we'll have to explain that.
But before we even do that, I just want to remind, so we're still talking about helping people pick an email provider.
(00:55):
Last week we did a micro episode, you know, just a little feature one.
This is going to be a macro episode.
This is a little bigger picture consideration about picking your email provider.
Okay.
And so, I mean, do you have any idea what I was trying to convey there?
Because I was not at all confident of that title.
(01:16):
Well, as I read between the lines, we should probably put some thought and effort into what email address we're going to choose or email provider instead of just running to the quickest and easiest.
Yeah, well, that makes good sense, but no, that's not what I'm talking about.
(01:44):
That's okay.
Like I said, well, that's not your failure.
That's mine, right?
That's the whole point.
So, Gmail, when you have a Gmail, there's, so some people talk about a Gmail account.
Some people talk about a Google account.
Yeah.
Right, because when you have a Google account or a Gmail account, like I said, used interchangeably, you have access not just to email, but you have access to photos, to Drive is probably the most used one, to Docs, well, or Docs, where you have like spreadsheets and things, right?
(02:22):
Yeah.
And your Gmail or Google account is access into all those things.
Right.
And so, that's what I'm talking about, like, it's not just an email account, it's also a Photos account, a YouTube account, a Drive account, a Docs account, et cetera, you know, a chat account, all these things.
(02:43):
Yeah.
And the same is true for Microsoft, Apple, Yahoo, it's the gateway to all these services.
And, once again, the focus is mostly going to be on Gmail, primarily because it's not only the most dominant and pervasive, but I have the most experience with it.
(03:07):
Okay.
But here's an interesting note.
You can have a Google account without email, like without a Gmail account.
Okay.
Right.
Like, I have one.
I have, because I need a Google account for a number of things.
I do have a Gmail account as well, but I have a Google account where it does not have email service at all.
(03:33):
You can't send, I mean, you can send email to that because it does have to be an email address, but it's an email address I have through Fastmail.
So, then I was able to set up, just like most places, you can create an account with them with whatever email address you want, right?
Like with Amazon or with Facebook or whatever, same idea.
(03:53):
You can create a Google account, and if you're using your own email, then they just don't provide email service.
Yeah.
Does that make sense?
Yeah, that makes sense.
Mostly, I explain that because hopefully it'll help establish what that difference is that I'm talking about here.
(04:15):
Yeah, yeah.
So, now, but why do we care, right?
Right.
Why do I object to this design?
Because I know a lot of people, they're like, hey, that sounds really convenient.
Let's just, I only have one account to log into, right?
Right.
And I admit there is some convenience to that, but here's the reasons.
(04:40):
And we'll start with the security ones, but there are some non-security reasons that I think are pretty compelling as well, myself.
But, so we've talked a lot of times about email being a master key.
Yeah.
Because it can already, you know, through the password reset mechanism, indirectly unlock most of your other online accounts, right?
(05:04):
Yeah.
But now, you're adding even more directly tied into it, other accounts, the drive, the photos, the chat, etc., like we talked about.
Yep.
Okay.
So, that's an additional layer of master keyness to your email account, right?
Yeah.
Then another layer is if you use the login with Google at other places, they'll let you do that, right?
(05:32):
Right.
Yep.
Yeah.
Yeah, absolutely.
Different websites will say, oh, do you have a Google login and you can plug it in?
Yeah.
Instead of creating your own username and password.
Yep.
Okay.
So, that's another layer of bundling it all together for convenience, but it's a terrible idea security-wise, in my opinion.
(05:53):
Yeah.
And then, the worst one is then if you end up using the Google password manager as well, then not only are you tying in all those things or, you know, whatever ones you do there, but now you have passwords, which, I mean, password managers, I do believe in, aren't a very good security model, but only if they're done correctly.
(06:18):
And a browser-based one that's also your email account and everything else is a terrible idea.
Yeah.
So, the best approach, security-wise, hands down, is individual accounts for everything.
Okay.
But, even if, like, you had a group of accounts that were the drive, the photos, the chat, the login with Google, all those things, that would be not so bad if it wasn't also tied to email.
(06:51):
Because email is such a weak point.
Its security is so bad and so attacked that it's just, like, you put all those things together and it's just one of the worst security ideas ever, in my opinion.
Yeah, yeah.
Does that make sense?
It makes total sense.
Okay.
Yeah, we've talked about how weak Google is, or not Google, but email is as far as security goes.
(07:19):
Yeah.
Yeah, no, Google does, as far as, I mean, its overall design, I think, is bad in terms, but given that, I think it does a pretty good job comparatively amongst the free email providers.
Microsoft, for example, I have much more issue with on their just straight-out security.
(07:40):
Right.
So, it's just that the core design is still a poor one.
Yeah.
So, here's a whole other layer.
There's all those master key things that we talked about that you're layering in, but here's another kind of different angle that's also horrible from the security perspective.
Because it's tied into all these places, what that means is you end up entering your email password in all sorts of circumstances where if it was just an email account, you wouldn't be doing.
(08:13):
You know, if you're not logged in when you go and access your photos, you might need to enter your email password.
If you're not logged in when you go to see a Google Doc, you might need to enter your email password.
And so, that means the circumstances under which you enter it and the login, like, especially with the login with Google, it might, the logins might look a little bit different.
And what all this boils down to is you're way more, that email account is way more phishable.
(08:41):
Hmm.
Okay.
Does that make sense?
That makes sense.
Yep.
Like, I almost never enter my email password in a browser.
I use apps almost exclusively for accessing my email.
Okay.
And the only time I could ever possibly need to enter my email password is when I'm accessing my email.
(09:05):
Not a million other random things.
And so, it also, so I looked at the statistics for the most imitated websites for phishing.
Yeah.
And the top three listed, Microsoft at 25%.
Oh, geez.
Google at 11% and Apple at 9%.
(09:28):
And all three of those suffer from the same thing.
There's a whole, there are email accounts bundled with a whole bunch of other services.
Right.
Right.
I just think that there's no accident.
That's not, you know, that's not a coincidence.
Yeah.
So, and one of the things that I was reading an interesting entry in the Google security blog,
(09:55):
and I'll just read one sentence from it.
It says, attackers are intensifying their phishing and credential theft methods,
which drive 37% of successful intrusions.
That's a lot.
Yeah.
That's a lot.
(10:16):
Yep.
And I think it's because you have to log in all the time.
You're always logged in the browser.
Google Chrome is just always bugging you to be logged in these days.
Right.
And there's all these things connected to it that it's just, I just think it is the Phisher's dream.
Yeah.
(10:37):
Yeah, it really is.
And so, anyway, that's my security case for it.
The other thing, yeah, anything, any other thoughts at this point?
Not at this point, no.
Okay.
So, I just have one other main point to talk about, and that is, and this kind of comes
(11:02):
from my software development background, but I'm sure it's applicable in a lot of other
areas as well.
But it is so much easier to not have bugs and, in general, to build secure, safe code when
(11:23):
you have simple, when you have it, it's simple.
And when you have this Gmail and it spans all the accounts, it's just not that simple.
It's complex.
Yeah, and complexity is the source of so many bugs.
(11:44):
Yeah.
And not only just for their, like, infrastructure, the Google infrastructure, but it gives the
people, like I said, with phishing, it gives you so many more options for tricking people.
Yeah.
All these different services.
And so, even though Google itself might be pretty good on security, maybe they won't
(12:06):
get hacked, it still makes it easier for people to get to your account.
Right.
Right.
So, and frankly, even though, and this is kind of my takeaway, I don't have a lot to
say about the usability, but at least for me, I think this is one of those things that,
(12:27):
like, it sounds like a good idea on paper.
It's really convenient to have everything tied together.
Right.
It has a ton of unforeseen impacts, not only on security, but for me, usability.
I much prefer, and on the usability front, I guess I'll just say, it's kind of what we've
talked about in previous episodes of, it's just, in a lot of ways, it's a matter of focus.
(12:51):
Um, because the email is more just like a gateway to everything.
And so, their focus on usability is just, let's make it easier to log in and tie everything
together, but not worry about the power of individual, uh, the, the email account itself.
(13:14):
Right.
Right.
That makes sense.
Makes total sense.
Makes total sense.
I'm going to piggyback off you on my thoughts.
Yeah.
And that is, hey, Google, you are so big.
You are so big.
You are a master of one thing, and that is advertising.
(13:36):
That's it.
Right.
If you're so big and you're providing all of these services, step up.
Provide good services.
Be a master at multiple things.
Not just shoving advertisements down our throat.
Like, really put some thought and effort into what you're creating with your email.
(14:02):
You know, protect your end users.
This is something that, to me, is pretty basic.
Like, if I came to Google to get service for an email, and I get really absolutely no protection,
and, you know, I'm out there in the wind, doesn't make me want to continue to use your products.
(14:23):
So, for me, be that master in every area you want to try and succeed in.
So, yeah.
Yeah.
Yeah, well, and I just think that it's not very obvious where they break down.
There's just no comparison because of the dominance and the allure of free these days.
(14:51):
Right.
And, I mean, the fact is, like, they have a lot of good, I mean, their email is solid in a lot of ways.
They do have a lot of good security.
They have, you know, Google Photos works really well in a lot of ways.
Google Docs is one of their best things and very hard to compete, or, I mean, at least all the ones out there.
(15:14):
There's no real great competitor for Google Docs in particular.
And so, that's the thing.
Like, they've done some good things.
But it's just that I think their overall mission is just not as aligned with some of the priorities that could be helpful.
(15:35):
And so, you know, it's a big machine.
So, I mean, I know I'm beating up on Google a lot, but I'm trying to tone it down a little bit just because I know there are some good things.
I just think when it comes to email specifically that it's just not enough of a priority for them.
I just think they should get out of the email game, frankly.
(15:57):
I don't know.
Maybe that's too much.
But I just at least want them to have some serious competition, if nothing else.
Yeah.
Because it's just not their primary focus.
And they do some great things, but they just need to pick, I think.
So, anyway, whatever.
Not like my opinion is going to have them change their approach.
(16:19):
So, but...
Never know.
Yeah.
Well, my greater aspiration is just that we can get enough people to use email services besides Gmail.
Yeah.
Because, you know, we'll talk about this more another day.
But in general, there needs to be competition.
(16:41):
Yeah.
So, anyway.
All right.
That's all I have to rant on for the moment.
Yeah.
I liked it.
Are you ready to take action and wondering where to start?
Get my Bulletproof My Identity Starter Kit for free.
(17:04):
The seven most vital layers of protection everyone needs.
I'll send you one step at a time and help you if you get stuck.
Just go to bulletproofmyid.com and enter your name and email and I will send you the first step.
Again, that's bulletproofmyid.com.
Welcome to Super Simple Security Principles, where you learn how to think about online security, not just which apps to install.
I'm Nick Jackson, here to learn along with you from my good buddy and master guardian, Makani Mason.
Woo!
This is episode 96, why your email account should be only for email.
(00:30):
I like it.
Why your email account should only be for email.
Sounds so much simpler.
Yeah, I wasn't sure if that's going to be clear what I was talking about, so we'll have to explain that.
But before we even do that, I just want to remind, so we're still talking about helping people pick an email provider.
(00:55):
Last week we did a micro episode, you know, just a little feature one.
This is going to be a macro episode.
This is a little bigger picture consideration about picking your email provider.
Okay.
And so, I mean, do you have any idea what I was trying to convey there?
Because I was not at all confident of that title.
(01:16):
Well, as I read between the lines, we should probably put some thought and effort into what email address we're going to choose or email provider instead of just running to the quickest and easiest.
Yeah, well, that makes good sense, but no, that's not what I'm talking about.
(01:44):
That's okay.
Like I said, well, that's not your failure.
That's mine, right?
That's the whole point.
So, Gmail, when you have a Gmail, there's, so some people talk about a Gmail account.
Some people talk about a Google account.
Yeah.
Right, because when you have a Google account or a Gmail account, like I said, used interchangeably, you have access not just to email, but you have access to photos, to Drive is probably the most used one, to Docs, well, or Docs, where you have like spreadsheets and things, right?
(02:22):
Yeah.
And your Gmail or Google account is access into all those things.
Right.
And so, that's what I'm talking about, like, it's not just an email account, it's also a Photos account, a YouTube account, a Drive account, a Docs account, et cetera, you know, a chat account, all these things.
(02:43):
Yeah.
And the same is true for Microsoft, Apple, Yahoo, it's the gateway to all these services.
And, once again, the focus is mostly going to be on Gmail, primarily because it's not only the most dominant and pervasive, but I have the most experience with it.
(03:07):
Okay.
But here's an interesting note.
You can have a Google account without email, like without a Gmail account.
Okay.
Right.
Like, I have one.
I have, because I need a Google account for a number of things.
I do have a Gmail account as well, but I have a Google account where it does not have email service at all.
(03:33):
You can't send, I mean, you can send email to that because it does have to be an email address, but it's an email address I have through Fastmail.
So, then I was able to set up, just like most places, you can create an account with them with whatever email address you want, right?
Like with Amazon or with Facebook or whatever, same idea.
(03:53):
You can create a Google account, and if you're using your own email, then they just don't provide email service.
Yeah.
Does that make sense?
Yeah, that makes sense.
Mostly, I explain that because hopefully it'll help establish what that difference is that I'm talking about here.
(04:15):
Yeah, yeah.
So, now, but why do we care, right?
Right.
Why do I object to this design?
Because I know a lot of people, they're like, hey, that sounds really convenient.
Let's just, I only have one account to log into, right?
Right.
And I admit there is some convenience to that, but here's the reasons.
(04:40):
And we'll start with the security ones, but there are some non-security reasons that I think are pretty compelling as well, myself.
But, so we've talked a lot of times about email being a master key.
Yeah.
Because it can already, you know, through the password reset mechanism, indirectly unlock most of your other online accounts, right?
(05:04):
Yeah.
But now, you're adding even more directly tied into it, other accounts, the drive, the photos, the chat, etc., like we talked about.
Yep.
Okay.
So, that's an additional layer of master keyness to your email account, right?
Yeah.
Then another layer is if you use the login with Google at other places, they'll let you do that, right?
(05:32):
Right.
Yep.
Yeah.
Yeah, absolutely.
Different websites will say, oh, do you have a Google login and you can plug it in?
Yeah.
Instead of creating your own username and password.
Yep.
Okay.
So, that's another layer of bundling it all together for convenience, but it's a terrible idea security-wise, in my opinion.
(05:53):
Yeah.
And then, the worst one is then if you end up using the Google password manager as well, then not only are you tying in all those things or, you know, whatever ones you do there, but now you have passwords, which, I mean, password managers, I do believe in, aren't a very good security model, but only if they're done correctly.
(06:18):
And a browser-based one that's also your email account and everything else is a terrible idea.
Yeah.
So, the best approach, security-wise, hands down, is individual accounts for everything.
Okay.
But, even if, like, you had a group of accounts that were the drive, the photos, the chat, the login with Google, all those things, that would be not so bad if it wasn't also tied to email.
(06:51):
Because email is such a weak point.
Its security is so bad and so attacked that it's just, like, you put all those things together and it's just one of the worst security ideas ever, in my opinion.
Yeah, yeah.
Does that make sense?
It makes total sense.
Okay.
Yeah, we've talked about how weak Google is, or not Google, but email is as far as security goes.
(07:19):
Yeah.
Yeah, no, Google does, as far as, I mean, its overall design, I think, is bad in terms, but given that, I think it does a pretty good job comparatively amongst the free email providers.
Microsoft, for example, I have much more issue with on their just straight-out security.
(07:40):
Right.
So, it's just that the core design is still a poor one.
Yeah.
So, here's a whole other layer.
There's all those master key things that we talked about that you're layering in, but here's another kind of different angle that's also horrible from the security perspective.
Because it's tied into all these places, what that means is you end up entering your email password in all sorts of circumstances where if it was just an email account, you wouldn't be doing.
(08:13):
You know, if you're not logged in when you go and access your photos, you might need to enter your email password.
If you're not logged in when you go to see a Google Doc, you might need to enter your email password.
And so, that means the circumstances under which you enter it and the login, like, especially with the login with Google, it might, the logins might look a little bit different.
And what all this boils down to is you're way more, that email account is way more phishable.
(08:41):
Hmm.
Okay.
Does that make sense?
That makes sense.
Yep.
Like, I almost never enter my email password in a browser.
I use apps almost exclusively for accessing my email.
Okay.
And the only time I could ever possibly need to enter my email password is when I'm accessing my email.
(09:05):
Not a million other random things.
And so, it also, so I looked at the statistics for the most imitated websites for phishing.
Yeah.
And the top three listed, Microsoft at 25%.
Oh, geez.
Google at 11% and Apple at 9%.
(09:28):
And all three of those suffer from the same thing.
There's a whole, there are email accounts bundled with a whole bunch of other services.
Right.
Right.
I just think that there's no accident.
That's not, you know, that's not a coincidence.
Yeah.
So, and one of the things that I was reading an interesting entry in the Google security blog,
(09:55):
and I'll just read one sentence from it.
It says, attackers are intensifying their phishing and credential theft methods,
which drive 37% of successful intrusions.
That's a lot.
Yeah.
That's a lot.
(10:16):
Yep.
And I think it's because you have to log in all the time.
You're always logged in the browser.
Google Chrome is just always bugging you to be logged in these days.
Right.
And there's all these things connected to it that it's just, I just think it is the Phisher's dream.
Yeah.
(10:37):
Yeah, it really is.
And so, anyway, that's my security case for it.
The other thing, yeah, anything, any other thoughts at this point?
Not at this point, no.
Okay.
So, I just have one other main point to talk about, and that is, and this kind of comes
(11:02):
from my software development background, but I'm sure it's applicable in a lot of other
areas as well.
But it is so much easier to not have bugs and, in general, to build secure, safe code when
(11:23):
you have simple, when you have it, it's simple.
And when you have this Gmail and it spans all the accounts, it's just not that simple.
It's complex.
Yeah, and complexity is the source of so many bugs.
(11:44):
Yeah.
And not only just for their, like, infrastructure, the Google infrastructure, but it gives the
people, like I said, with phishing, it gives you so many more options for tricking people.
Yeah.
All these different services.
And so, even though Google itself might be pretty good on security, maybe they won't
(12:06):
get hacked, it still makes it easier for people to get to your account.
Right.
Right.
So, and frankly, even though, and this is kind of my takeaway, I don't have a lot to
say about the usability, but at least for me, I think this is one of those things that,
(12:27):
like, it sounds like a good idea on paper.
It's really convenient to have everything tied together.
Right.
It has a ton of unforeseen impacts, not only on security, but for me, usability.
I much prefer, and on the usability front, I guess I'll just say, it's kind of what we've
talked about in previous episodes of, it's just, in a lot of ways, it's a matter of focus.
(12:51):
Um, because the email is more just like a gateway to everything.
And so, their focus on usability is just, let's make it easier to log in and tie everything
together, but not worry about the power of individual, uh, the, the email account itself.
(13:14):
Right.
Right.
That makes sense.
Makes total sense.
Makes total sense.
I'm going to piggyback off you on my thoughts.
Yeah.
And that is, hey, Google, you are so big.
You are so big.
You are a master of one thing, and that is advertising.
(13:36):
That's it.
Right.
If you're so big and you're providing all of these services, step up.
Provide good services.
Be a master at multiple things.
Not just shoving advertisements down our throat.
Like, really put some thought and effort into what you're creating with your email.
(14:02):
You know, protect your end users.
This is something that, to me, is pretty basic.
Like, if I came to Google to get service for an email, and I get really absolutely no protection,
and, you know, I'm out there in the wind, doesn't make me want to continue to use your products.
(14:23):
So, for me, be that master in every area you want to try and succeed in.
So, yeah.
Yeah.
Yeah, well, and I just think that it's not very obvious where they break down.
There's just no comparison because of the dominance and the allure of free these days.
(14:51):
Right.
And, I mean, the fact is, like, they have a lot of good, I mean, their email is solid in a lot of ways.
They do have a lot of good security.
They have, you know, Google Photos works really well in a lot of ways.
Google Docs is one of their best things and very hard to compete, or, I mean, at least all the ones out there.
(15:14):
There's no real great competitor for Google Docs in particular.
And so, that's the thing.
Like, they've done some good things.
But it's just that I think their overall mission is just not as aligned with some of the priorities that could be helpful.
(15:35):
And so, you know, it's a big machine.
So, I mean, I know I'm beating up on Google a lot, but I'm trying to tone it down a little bit just because I know there are some good things.
I just think when it comes to email specifically that it's just not enough of a priority for them.
I just think they should get out of the email game, frankly.
(15:57):
I don't know.
Maybe that's too much.
But I just at least want them to have some serious competition, if nothing else.
Yeah.
Because it's just not their primary focus.
And they do some great things, but they just need to pick, I think.
So, anyway, whatever.
Not like my opinion is going to have them change their approach.
(16:19):
So, but...
Never know.
Yeah.
Well, my greater aspiration is just that we can get enough people to use email services besides Gmail.
Yeah.
Because, you know, we'll talk about this more another day.
But in general, there needs to be competition.
(16:41):
Yeah.
So, anyway.
All right.
That's all I have to rant on for the moment.
Yeah.
I liked it.
Are you ready to take action and wondering where to start?
Get my Bulletproof My Identity Starter Kit for free.
(17:04):
The seven most vital layers of protection everyone needs.
I'll send you one step at a time and help you if you get stuck.
Just go to bulletproofmyid.com and enter your name and email and I will send you the first step.
Again, that's bulletproofmyid.com.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!