Do you consider your email address to be private information but use it to register and comment on WordPress powered sites? Many WordPress sites use Gravatar to provide the avatars on comments and user lists and this can be an issue if you do.
It’s fairly easy to crack a large proportion of the Gravatar email address hashes on a site because many email addresses use similar structures (eg email@example.com, firstname.lastname@example.org) and it’s straightforward to enumerate these then test them against the md5 hash used in the image or profile url.
Many times this is ok! If you’ve registered at a conference or on a site with your work email address that’s the same as the one you’re handing out on business cards or is already public and this email address is the primary email address on the Gravatar account — or doesn’t have one — then it probably doesn’t matter if people can crack the hash.
There are few things to keep in mind about Gravatar and the sites which use it:
- the primary email address hash is always publicly available via a request to your profile url, even if you use a different email address on the account:
- your WordPress username and display name are also always public via your profile url
- as is anything you’ve added to your profile like images or your name
- on WordPress sites, even anonymous comments try to pick up the Gravatar and display whatever it finds
- for WordPress sites which use Jetpack, even if Gravatar is disabled in the admin, the Gravatar hash is available for posts and comments via the API
- the more personal data available on the site, the easier many emails will be to crack
So how do you choose an email to use?
If you can, and especially if there is a lot of other personal information about you on the site — eg if you’ve registered for a conference and your name, twitter handle and website are listed with your avatar — then use a work email address you don’t mind people knowing with its own Gravatar account. That way it doesn’t matter if it’s cracked.
Or make a separate Gravatar account with a new email address for online registrations and commenting that can’t be traced back to your usual accounts. Then just forward that email address to wherever you want to manage those emails.
Otherwise, make sure the email address you use is difficult to crack. For email addresses on your own domain, make it long and with something not related to your name like email@example.com. If you have a gmail or GSuite account, use the + feature to add something to your name, eg firstname.lastname@example.org (plus it makes emails easier to filter)
It’s starting to sound like horrible password advice isn’t it? That’s because it kind of is. The general idea is that, like passwords, it’s more difficult to guess email addresses with random stuff in them. I think it’s fine to have one email address you use in general or one for work and one for play; at this point having more or applying proper password advice to them is serious overkill for the majority of people on the majority of sites.
One last caveat is that all of these hashes are crackable via brute force with enough time and computing power. But right now at least, this probably isn’t too much of an issue.