In the wake of Matt Honan's disastrous hacking situation, I'm revamping how my fiancee and I utilize our email accounts to recover passwords. I've been trying to finalize the best way to do this, and am coming up against a brick wall. (Maybe I'm over-thinking it, I'm not sure.)
One of the many common understandings that seems to be circling the web now, post Honan-Hack, is that your accounts should not be daisy-chained to one another. For example, your various email and financial accounts (i.e. your most important accounts) should have a different email address associated with them than your not-as-important other accounts. That way, if a hacker gains access to your "regular" email (the one you use to email mom and dad, the fellas, the wife and kids, etc.), they can't use that to gain access to your important accounts.
The specific advice given is that you should have a secret email address, one that:
1. doesn't have your name in it (so it can't be associated to you)
2. no one knows about
3. you do NOT use to send any email correspondence
4. you do not use to sign up for newsletters
That way, any password reset requests for your important accounts that are sent to this address should be safe.
Here's where I encounter trouble, using my bank as the example. My bank only requests one email address for all correspondence. Whether they need to email me my password reset info, or my monthly statement is ready to be viewed online, or they are contacting me about suspicious account activity, etc., all that information goes to the same email address. Doesn't that negate the intended purpose of security? Same for email accounts: if I use this secret email account to reset my passwords for my not-so-secret email accounts, then isn't that also daisy-chaining them together, thus destroying the security I'm trying to preserve?
What do you all do? How do you keep password reset/recovery information secure?