Throw away accounts are accounts created when an account is required but won’t be used again. When throw away accounts are created, they usually don’t contain any personal information. Most of these accounts, if not all, will even have a bogus email address attached so that the users will not receive any spam.

So Why Create Throw Away Accounts?

The concept of the throw away account exists because most websites now require account creation. This is almost always because the company wants to gather personal information about the user in order to spam them or for sale to third parties.

To work around this, people now create accounts that don’t contain entirely accurate information; usually there’s just enough of truth to get the product or resource they want.


Passwords for throw away accounts consist of weak passwords like ‘123456’ or ‘Windows1’. The theory is why bother creating a strong password for an account that has relatively no information that can harm them.

Why Do Throw Away Accounts Matter?

Throw away accounts distort statistics when a vendor is breached. Recently, Adobe was breached and people wondered why users would ever have a password like ‘123456’. Users with passwords like this fall into one of two categories.

Either they don’t know better and fail to understand password security or they simply don’t care. If the website doesn’t NEED an account for truly functional reasons, the user is likely to treat the account like a throw away account.

Improvements should be made to website processes. A product download or a one-time purchase should not require the creation of an account. If we removed the need for people to create throw away accounts, we could stop the statistical skew they introduce when a breach occurs.

This would give us a much better understanding of how many people truly “don’t know better” and could ultimately help drive user education.


Related Articles:


P.S. Have you met John Powers, supernatural CISO?


Title image courtesy of ShutterStock

Categories ,

Tags , , , , , ,

SANS Endpoint Security Maturity Model

Andrew Swoboda

Andrew Swoboda has contributed 6 posts to The State of Security.

View all posts by Andrew Swoboda >