Randomize email or username across sites?
Has there been any discussion about whether it is a good idea to use different username and/or email with each account? Of course each account should have a unique password.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:username
Comments
-
I have personally started using random usernames on sites where I won't have any public presence like a profile page. Some sites like my banks actually allow me to change my username so I have been doing this as well. But, if you're not doing this, I don't think you're necessarily putting yourself at additional risk.
Risk usually comes from databases being compromised. Most databases aren't encrypting or hashing usernames, so these would be readily available in any breach. If it stores a username alongside an email address or other identifying information, it could lead a bad guy to your other web presences.
So, a random username isn't really going to help if the attacker could easily reason about your identity and then try the password on your email, Facebook, etc.
I hope that makes sense. This is definitely an interesting question though! Thanks for bringing it up!
--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, TX0 -
If the username is random however, it makes it harder to automate testing breached data against other sites. E.g. lknasqwasfd@foo.com is released in a breach, but that's useless for attackers to use credential stuffing attacks.
It won't add to the protection you get from a unique password per site, but it adds a couple of nice features: it minimises risk from a shared username being usable in password reset or account lock attacks (because there's no link between my login on site A and site B other than perhaps the email address domain) and it would be very useful in working out where data breaches come from for security researchers like Troy Hunt :)
Personally I'd love to see this feature.
0 -
The reason I do this is primarily so that if I start receiving unwelcome messages I know who to yell at. I've closed three accounts and I will now do my best to avoid a fourth based on their responses after contacting them. Using 1Password for unique passwords is obviously still the first line of defence but like mnem I enjoy that the email address from one account won't help somebody trying to take advantage of that information. As 1Password is equally good at remembering usernames as passwords it's something else that 1Password helps with. When a site has separate username and email address fields I find that's a great use of the custom sections.
I don't foresee 1Password helping with this in a more direct fashion than it already is though. It's not a common occurrence yet and for many may not be practical at all depending on who they use for email and I say this as somebody that could take advantage of such a feature. The primary focus has to be on features the majority of users need or really want. That isn't to say it may not happen as the landscape is always changing but for now this is probably stuck on the "wouldn't it be neat" list. I'm just happy 1Password remembers all of this for me for now :smile:
0 -
That's a reasonable stance - I imagine it is quite a small number of people who are interested in this feature for the moment :)
0 -
Thanks for understanding mnem,
If you ever need anything else, please don't hesitate to write again. We're always here to help.
Best regards,
Matthew0
