They don't mention it, but there's a privacy benefit to generating usernames. Most users are predictable/lazy and will use the same username on every website. However, tools exist for finding accounts across services that have the same username. Generating a unique username and storing it in your password manager would make it easy to evade these tools.
I think an important distinction is that the email address is often private. My HN account and my reddit account may have the same email address, but Reddit and HN would need to coordinate to figure that out. If they both sell user data, or suffer database breaches, get subpoenas, then a third party could link the accounts. For sites that support username search by email address or treat email address as public data, yeah, that's exposed.
For usernames: a series of HTTP GETs can find likely examples of username reuse:
* news.ycombinator.com/user?id=$username
* reddit.com/u/$username
* twitter.com/$username
This is cheap, easy, scalable, has automated tooling, etc. So I worry enough to pick a new username, and let my password manager remember it.
I use a different email address on each site (though usually the same username).
Many services today use emails as their userid, and even often the login username (account display name being separate), so I think it's probably more common for attackers to match passwords with common emails rather than common usernames. But they can & will still do both, so the unique username certainly has some use.
To defend against password stuffing attacks, I use unique passwords per site (saved to password manager, for convenience). Using a unique email address could help, but I wouldn't trust it. Determined attackers could try your stolen password against a large number of accounts to find where it works.
> Distinct emails is just defense in-depth.
> (it also helps a lot with tracing who's sold your data to a spammer)
Not only that, if when you first sign up with BigCo you give them your email address as bigco@example.com then when one eventually stops dealing with BigCo one be certain that all email addressed to bigco@example.com can be rejected at your email server without a second thought, no need to scan for spam, just reject everything addressed to that alias.
A good friend of mine takes this a step further and does it through DNS (which of course he self-hosts as well as his mail server). He would give his email to BigCo as firstname@bigco.example.com. Once he's done with BigCo then he removes the records for bigco.example.com and there's no way to even look up a relevant mailserver to send email to firstname@bigco.example.com!
It seems like most websites use your email address as the username, which makes this more difficult. You could use + addressing, which makes it unique, but doesn't really make it private... really need hidemyemail or something similar!
Check out Firefox Relay and the corresponding Firefox extension. You can pre-register some-random-string@mozmail.com, which will forward e-mail to your actual address. If you pay for it, you'll have your-own-subdomain.mozmail.com, which acts as a catch-all, and you can use without pre-registering any-address@your-own-subdomain.mozmail.com.
You can reply from all addresses described above. The FF extension makes pre-registration of random addresses a little easier by putting a button on e-mail form fields.
There isn't convenient integration with password managers, that I know of.
You could be de-anonymised. Particularly by correlating your sign-ups using your-own-subdomain.mozmail.com. Or if the service is hacked. There's some argument that makes this service harder to generate spam with, and therefore less likely to be blocked. That's yet to be seen, I suppose.
> There isn't convenient integration with password managers, that I know of.
Fastmail also offers this service, so I think it's becoming a popular enough idea that password managers may start to see value in introducing it. Hopefully...
I have been very happy using fastmail as my email provider and 1password as my password manager. They have an integration which allows you to generate masked emails, which makes what you're describing possible.
The tools I linked rely on usernames that are public. I think most sites that use email addresses as usernames don't make the email address public (think of the spam). Are there example sites I'm forgetting?
That's a valid argument if your threat model only involves other visitors who aren't given access to see email addresses, but it breaks down if you're hiding from the site administrators, an attacker who obtains admin access, and whomever the attacker makes the data available to.
You can still often check to see if someone has an account for a service by just .. trying to sign in or retrieve lost password. You often don't need to have the password or access to the email to tell from the response if there's already an account registered for that email address.
If it's a privately used domain, then tools could be modified or built to monitor that (if this approach becomes popular or if an individual becomes targeted, possibly other reasons).
Approaches for randomly generated usernames are probably the best way to go. DDG's @duck.com email service (and similar) is pretty fantastic if you're forced to use an email.
I generate a unique username for every website I register on, and an unique email too. What I have been doing is using the passphrase generator in Bitwarden as an username generator.
Seems pretty limited to be honest - the usernames aren't going to be unique enough for anything where they have to be globally unique. Unless you include numbers on the end that is, but that's just ugly.
LastPass's username generator is much better: https://www.lastpass.com/username-generator. With "lowercase" only and "Easy to say" turned on, the suggestions are really good. This is my go-to when I need a username, and that's as a Bitwarden user!
I would think the purpose here would be that you would use unique aliases per service to limit your own risk in the event of a site breach. However, the vast majority of websites these days require a username and an email address. In which case, if I've got 50 unique usernames but they're all tied to a single email, how much am I really protecting myself if the email address gets included in the breach?
One thing I do, which no clue how helpful it really is, is use a custom domain for my emails with support for catch-all addresses. When I sign up for a new site, I typically put my email as something like "<site-name>@<my-domain>.com".
If my data were exposed, I guess someone who realized that could try any variation of the site's name to figure out the exact one in my address, but you could always do something more unique than that. Even something like generate a BitWarden password and use it as the user for the domain.
It's less a protection schema and more a canary schema. I use plus-addressing for basically every online account that I create that does not need to be professional in nature. The benefit is that if I start receiving emails from Foo.com sent to myemail+bar@example.com, I know that my bar.com account got compromised and I can do something about it to limit my exposure.
I've found that a lot of websites don't like "+" or even intentionally detect it to reject it or subvert the user's interest.
I think a good system would be a randomly generated handle like nick836742@example.com where my real email probably isn't nick@example.com, but the number is different for each service.
I also use random email aliases for my domain. The random username is because I don't want people to be able to search my username for a service and link me to other accounts online.
One very slight benefit I see is (better) standardization of username generation. If everybody has their own method of generating usernames (eg long string of numbers vs 2 random words), then it's possible to differentiate usernames based on the style. Now that generation is automated via lastpass or bitwarden, there are two standard styles and makes it harder to fingerprint users based on it
I keep wanting to switch to bitwarden from keepassxc, I created an account and installed the apps, but I just can't bring myself to actually upload all my passwords to someone else's computer. Am I just too paranoid?
I'm also using KeePass and I have my own NextCloud instance, and with the Android app + browser add-ons I have an as good experience as with cloud offerings, and maybe even better since I can also use it as an SSH agent to store my SSH keys.
But honestly with all the updates I'm putting off I'm probably actually more at risk, and a good password manager implementation will encrypt all passwords client-side so you're not actually uploading your passwords to anyone's computer.
It is not someone else computer. It is your password encrypted that get uploaded. Your passwords are only decrypted locally. Feel free to check their app for that :)
Unfortunately because of the way Bitwarden works you should consider your passwords compromised when Bitwarden itself gets hacked - regardless of vault encryption. Especially if you ever used the web login.
To access your account you need to type your master password, the same password that is used decrypt your vault. If a competent hacker gains access to the Bitwarden servers they could install a compromised login page that logs master passwords and with that gain access to password vaults.
Sounds far-fetched maybe, but your password security depends completely on the ability of Bitwarden to protect their servers. The encryption is just a minor hurdle once the servers are compromised.
Note that 2FA doesn’t help since it is not used for vault encryption.
If you never use the web frontend that should not be possible (unless the local app/browser extension send the full password over the wire and not the hash).
I too was too paranoid for that. Digital ocean has a bitwarden instance that you can host yourself[1]. It's still somebody else's computer, but it's your tiny instance, your subdomain, etc. It's like $9/month maybe? But I put my kids on there too. $3/month for a pretty robust, cloud-based password manager with a tiny attack vector is worth the money to me.
And it can run on a Raspberry Pi! The DB can be hosted in SQLite (the default) or Postgres, as opposed to Bitwarden which requires MSSQL, which is not compiled for ARM.
I am not well-versed on self hosting but interested in doing it. If I run Bitwarden on a Raspberry Pi and if the Pi breaks (let's say it completely stops working), will the passwords be unrecoverable?
You can have the best of both worlds. If Bitwarden's datacenters got corrupted/wiped/hacked/ransomware'd you can have a Keepass DB which mirrors all your Bitwarden creds, and stored locally / synced to a few cloud servers.
The caveat being: you have to manually copy over any credentials from Bitwarden to Keepass, which is time consuming but one day maybe worth it.
> you have to manually copy over any credentials from Bitwarden to Keepass
pass-import works pretty well; create an initial empty KeePass DBX file first and keep a copy to re-use, then one can re-run pass-import to import BW to a fresh KDBX on a recurring basis with a simple script.
That's a neat tool. But I meant when you create a new credential entry, you have to manually mirror it in Keepass each time you add something in Bitwarden. Doing an import just for one entry is overkill.
Personally, I've used it since lastpass made people pay for multi-device access. You can treat it like a git repo that's encrypted at rest. Client implementations are pretty quality in my window of experience (on linux+ff, mac osx+ff, iOS+safari).
The security problem reduces to "how do I securely store a private key that I use every day", which is a well-understood problem with a well-documented set of solutions.
I love Bitwarden. What I do is self-host an instance, available only on my network (so not open to the world). Whenever I’m home and I use Bitwarden on any of my devices they sync automatically. I’ve found this use pattern to be pretty good from a “devices are up to date” perspective. I get all the benefits of “cloud sync” across my devices without worrying about a service breach.
Assuming the vendors are not lying, then the setup for these services is that your master password encrypts all data before it is sent to the server, and the service cannot see your master password or any of your contents.
That said, I use KeePass on Windows and Android, sync my safes once a month/as needed, and call it a day.
I used to think the same thing but had my keepass DB on a dropbox folder, so all my computers had easy access to it. This is the same as how bitwarden works.
This will save me some typing, as I already do the "catch-all" based emails exactly like this!
EDIT: See note below - this is for the Add Login dialog where it detects the domain you're signup for. (My initial tests were in the generic Generator function, which don't have the full functionality.)
> Website Name is limited to the Add/Edit screen on browser and desktop as it requires knowledge of the login's URI, in other locations the username generator will default to Random.
Fastmail + 1Password have quite a similar feature, the difference being that you can control it all from your normal email address (the feature is built into fastmail, using JMAP, so that 1password basically calls out to FM and implements a few API calls to generate a random secret email.)
Worse, I have used services where they changed the email validation code years after setting up my account and then I could no longer log in because my email address had a + in it. So I don't do this anymore.
Sneakemail, which lets you do it with hyphens, works pretty well, though.
I've been using catch-all addresses for a decade (with Google Apps.. rip) and I doubt that will ever get counter-measured. It's been really nice to catch those few cases where a service clearly sold my email to advertiser.
Many services already do not accept email addresses with “+” in them. In those cases it’s usually possible to generate a unique email using extra periods instead: https://frdmtoplay.com/finite-gmail-accounts/
Indeed, you can use other characters as well. I've got the underscore '_' on mine, and use it for all my random-signup emails. It's great, once in a blue moon you find one that leaks your ID or spams you, and I can then immediately bin that variant.
I am unclear of the benefits of doing this as opposed to just using the password generator prompt and using it for a username. Seems fairly pointless as a feature to me.
In addition, in the extension I can't use pass-phrase like generated responses for my username but I can for the password?
For one, its built right into the UI so you can generate a name and save it in the bitwarden username field in the same motion.
Also, the password generator isn't configured to work for the use cases here (adding your email or a catchall, using less characters, no special characters, etc.). That way you can still sign up for accounts that require email verifications.
Have you done a signup where the email address is used as a username?
Or email address is required? The email address username generation is useful for those cases (assuming you use unique email addresses for each signup.)
I agree, right now I mostly use <servicename>@<mycatchalldomain>.com as usernames, that way I can directly see when something arrives at <servicename>@ that should not. I don't see the benefit of "randomizing" the <servicename> part.
The usual benefit is that it makes it unguessable. If someone knows your mycatchalldomain he can guess valid e-mail addresses. That way you can be reasonably sure that if someone else is sending e-mails to a specific address the address got leaked.
I started thinking of usernames as less secure passwords and therefore randomizing them a few years ago but never thought about the possibility of randomizing the email too. Not only does it help on the spam side of receiving mail but it can help on the login security front since knowing your email address no longer eliminates 33-50% of your login details. It sounds like this is a great enhancement in almost all cases: automated email randomization that is service dependent and also username randomization when you have a site with separate username than your email.
Spammers will guess anyway. And I happily trade the chance that some spammer guesses <servicename>@ for the convenience that I don't have to look up every single (spam-)email that I get. Maybe if a service would do some kind of "translation" I would consider using it (like this apple service or duckduckgo's email).
I do this too but I often have service workers get very confused why their company name is in my email address. In fact I checked into a hotel once and they made me change it since they thought it was a default placeholder address or something.
Random addresses are also somewhat problematic too when they ask me to “confirm my email”. But they just think I have a very strange username.
Yes I had that from time to time, but I just tell the truth and tell them that their email will automatically get sorted in my inbox and that I get everything @domainname. I imagine thats easier than explaining your email is really 7ahe8Rz2@domainname.com
It doesn't seem popular (here at HN, like Fastmail) but the bang for the buck from NameCheap "private email"[0] is pretty solid. I started using them years ago as an alternative to GoDaddy for domain names, and more recently for hosting my email. At little as $1.24/month for a 5GB mailbox with custom domain names / catch-all.
They use something called Jellyfish for spam detection and it's been pretty impressive. A few false negatives but overall catches most of it. And you can use their webmail or any IMAP/POP3/SMTP client.
Have you moved a largish email archive from Gmail to Namecheap? I see they tell you to do it with your client but that seems like it might be unreliable when you have gigabytes of mail to move.
I'm moving some email now using Thunderbird. It's slow and I don't have huge amounts (Gmail tells me 1.39GB). I'm sure it's possible but it might take an hour or so.
A bit slow but I don't think it's unreliable. If it is, that's scary because how would I know :)
Just moved a folder with 1037 emails and it has 1037 on NameCheap now. Seems like it moved them all! (And it didn't take too long. It's moving a bunch of subfolders now.)
Not OP, but thought I'd chip in since I do the same since I left Gmail.
I just use a random cheap domain, registered through Gandi. This includes a couple of 3 GB mailboxes each with unlimited aliases, which is quite adequate if you don't use your email as a file store (much).
I suppose the "right" way would be through something like Fastmail instead, but the simple arrangement above has worked fine thus far.
I also use Gandi somewhat, but beware Gandi doesn't allow catch-all.
It does allow, however, wildcards in aliases, which allow a semi-catchall, since alias have to have a minimum of two characters besides the asterisk.
I'm not a security expert, but possibly being able to change my username in addition to changing my password due to safety concerns gives an extra layer of security.
Interesting feature, but it looks like this has some rough edges. I saw this option a little while ago today from the browser extension (latest version of Firefox on Windows) when I created a new item and wanted to generate a password for it (I didn't want to generate the username since it was assigned by the service), but it wasn't possible to select either of the radio buttons to choose between username and password and the regenerate button also didn't seem to work. I didn't have time to dig in further, and so I chose to generate a passphrase and use that.
Fastmail can generate random@fastmail.com email addresses that go straight to your mailbox. Really useful for throaway accounts and low value services. It apparently has an integration with 1password but I can't vouch for it as I haven't used it.
I think this is useful for any service, not just throwaway accounts or "low value" services. It provides another layer of anonymity, and makes credential stuffing impossible as a hacker would have no idea that two auto-generated emails address belong to the same person.
1password integration is nice, because you don't have to open up Fastmail to generate a new masked email.
I just use catch-all with custom domain, though. That way, I'm not tied to a particular provider, and I can make new "masked emails" on the fly however I want (usually, just using the name of the app/website I'm signing up for). The downside is that you loose the previously mentioned anonymity since a hacker could link your various addresses by domain name. But it's still way better than using the same email address everywhere!
I'll be that guy: don't knock it, it saves a whole pile of junk mail when companies leak (or sell) your details and you can just turn off that address.
Why use Plus Addressed Email?
Plus addressed emails allow you to filter your email for all the junk mail you get when signing up for a new service. Signing up for a service with the username alice+rnok6xsh@bitwarden.com will still send emails to alice@bitwarden.com, but you can easily filter emails that include +rnok6xsh to prevent them from clogging up your inbox.
In this example, just make rnok6xsh your username and let spam filters do their job. Please stop embedding email addresses in usernames. It rubs GDPR and privacy in a bad way.
Does anyone happen to know how pricing works with Bitwarden and a self-hosted Vaultwarden server? Some of the critical features like storing 2fa seeds seem to be locked behind the paywall, but Vaultwarden lists "support" for it and it's unclear whether it's the server software that locks this functionality (and therefore it can be used for free with the Vaultwarden backend) or if it's the client apps.
Vaultwarden is a free, OSS implementation of the Bitwarden server, and has no licensing costs. It's API compatible with the official Bitwarden client, which also has no cost. If the client supports the functionality, and server supports the functionality, you're in the clear. Bitwarden's documentation on features and licensing are only applicable to their backend products.
Can confirm that the self-hosted version does indeed have 2fa seeds behind a paywall -- that being said though, storing both passwords AND your 2fa seeds in the same app feels like a security antipattern.
Storing my 2FA seeds on Bitwarden (or any other password manager that itself supports 2FA) is still something I have because I need to have a device that's been approved or the security token that 2FA's Bitwarden itself.
Whether it's as secure as using a separate TOTP generation app is slightly beside the point, because it's so much more usable. And I don't need to re-bootstrap access to all my accounts when my phone gets run over by a car.
I know some people are more sensitive to that, but the annoyance of managing 2fa seeds via some other app (that I have previously had difficulties recovering...) outweighs my actual perceived risk. Thanks for confirming
Edit: Based on the other reply to my comment-- are you using the Bitwarden self-hosted solution? I was primarily interested in Vaultwarden, the OSS alternative
https://github.com/topics/username-search
I use different usernames per-site, but I tend to take a couple seconds to think of something (hopefully) clever.