Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
I hate how many places don’t allow for + aliases. I want to know who leaked my email.
No + required. There are hundreds of companies offering aliases using their shared domain. You can also just generate a temporary email address if you don’t require any ongoing communication and the account is not super important.
At the same time, it is trivially easy to strip a + alias, so I’d not trust it to do anything much at all.
If you use aliases for all services, it makes it slightly harder to automate trying one leaked email on another site, since the hacker needs to add the new alias on the other service.
No one is going through of all these credentials manually, so any extra obscurity can actually bring you security in a pinch. Although if you have different passwords this shouldn’t matter much…
deleted by creator
+aliases are convenience aliases only. They are often stripped from ID datasets. Better to use a real alias.