Hacker News new | comments | show | ask | jobs | submit login

Are you suggesting to have a different email address for every online service we use? Today I manage about 100 different unique passwords for every online service. This is already very inconvenient. Adding as well as having different bogus email addresses would be at least 2 times more difficult!

I think something is really broken in today's web authentication scheme. I think there is really huge need for some independent and reliable service (Mozilla's Personas maybe).

While I don't necessarily agree with your parent's post, there's a relatively simple solution here. If you're using gmail, you can use the + operator to automatically tag emails. Here, it serves an alternative purpose.

For example, if my email is daniel@gmail.com, then I would use daniel+hn@gmail.com when signing up for Hacker News.

Skipping over the fact that most email providers don't necessarily support this, and that not all websites/services will allow it (not saying they are right not to), this creates a whole new set of things to remember as even something as simple as +hn (which is surely simple enough that anyone could guess it) could be tougher on other sites, e.g. is Reddit +rd, +re, or...?

To carry this idea further, the +descriptor email trick has backfired on me before. Sometimes sites require an email login and it takes me several tries to even remember what my +descriptor was.

Sometimes, I don't actually remember and just end up going to my inbox to find an email from the site so I can look up what I used.

Another time, this backfired on me when I purchased concert tickets using a +descriptor email and couldn't login. The purchase form and login form had different validation rules, so the purchase form accepted my +descriptor email and charged me for it. The login form rejected my +descriptor email and I was rushing to contact customer service to print my ticket in time.

I do it, and have done it for a pretty long time. In the vast majority of cases, it's (almost) in the form of sitename@myemailaccount.com - which is usually pretty easy to remember.

If someone was directly targeting me, and had my email address from another site, they could probably figure out what I'd used elsewhere. But if it's just a script running through email addresses harvested from site A, then mine will almost always be irrelevant on site B.

The main reason I use it though is that it's a great way to figure out where spam is coming from. Last week for instance I got a "male enhancement" spam from an email address I've only ever given to scan.co.uk. That addres is now on my block list and I doubt I'll be buying through them again.

Nice way to find where spam comes from.

Sadly this is at best a complicated workaround, that will will work for people that are motivated enough to remember for each different service a separate email and password and additionally to this you have to remember as well the credentials to manage your email address and check the emails from different sites.

In my case it would mean having about 100 email addresses.

You actually don't need separate emails for this. You can use (name+tag@provider.com, Gmail supports it and others too I'm sure). Or you can use your own domain (Google Apps makes this really trivial) and have the part before @ be the sitename (that's what OP suggests) and then have catch-all address. You might receive slightly more spam if you turn on catch-all, but I have a setup like this a it works.

I suspect my total is way above 100. But you don't actually need to remember anything really. The @mydomain.com stays static and the email is basically the name of the site.

I use unique and secure passwords for all online services, https://agilebits.com/onepassword makes it really simple.

I don't really see the need for passwords anymore. Mozilla's Personas looks good for the web.

With the rise of mobile apps though, we introduce more usernames and password daily.

Believe there is an easier way to handle user authorisation and here is a post about it. https://gist.github.com/4052818

http://www.keepassx.org/ is a free and open-source password manager. It makes using almost infinite numbers of accounts easy to use. If you use secure passwords they are like not possible to remember anyways.

I moved from PC Applications for Password usage to use passdroid on the phone. Like this I have the passwords always in my pocket.

Thanks to the power of free open-source software there is keepassdroid of course. ;)

I think it's possible to flip the order. Instead of managing 100 passwords for each account, manage 100 emails and ONE password for all accounts. Make sure your password is really strong, and you should be better-off than managing those 100 passwords, which require a secure password manager.

Of course it's better to have a real password manager, but for most people, who don't or can't be bothered setting this up, this would be a huge step forward since they anyway use the same email and the same password everywhere.

And then one of the accounts' password is stored in plaintext and the database is leaked with the mail addresses and everyone can easily log in as you at 100 services.

Never, ever, re-used passwords for anything you value.

Except, as the comment you responded to suggested, you would use a different email for each service.

did you actually read what I was saying on the blog post or the comment??

Most people re-use not only the password, but also their email. This is the worst combination.

If you use an unpredictable, unique email address, and use a secure password. Even if it leaks on one site, the attacker has no easy way to predict what your email address is going to be on any other site without having access to the list of email addresses.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact