They don't mention it, but there's a privacy benefit to generating usernames. Most users are predictable/lazy and will use the same username on every website. However, tools exist for finding accounts across services that have the same username. Generating a unique username and storing it in your password manager would make it easy to evade these tools.
It seems like most websites use your email address as the username, which makes this more difficult. You could use + addressing, which makes it unique, but doesn't really make it private... really need hidemyemail or something similar!
I generate a unique username for every website I register on, and an unique email too. What I have been doing is using the passphrase generator in Bitwarden as an username generator.
Seems pretty limited to be honest - the usernames aren't going to be unique enough for anything where they have to be globally unique. Unless you include numbers on the end that is, but that's just ugly.
LastPass's username generator is much better: https://www.lastpass.com/username-generator. With "lowercase" only and "Easy to say" turned on, the suggestions are really good. This is my go-to when I need a username, and that's as a Bitwarden user!
I would think the purpose here would be that you would use unique aliases per service to limit your own risk in the event of a site breach. However, the vast majority of websites these days require a username and an email address. In which case, if I've got 50 unique usernames but they're all tied to a single email, how much am I really protecting myself if the email address gets included in the breach?
One very slight benefit I see is (better) standardization of username generation. If everybody has their own method of generating usernames (eg long string of numbers vs 2 random words), then it's possible to differentiate usernames based on the style. Now that generation is automated via lastpass or bitwarden, there are two standard styles and makes it harder to fingerprint users based on it
I keep wanting to switch to bitwarden from keepassxc, I created an account and installed the apps, but I just can't bring myself to actually upload all my passwords to someone else's computer. Am I just too paranoid?
This will save me some typing, as I already do the "catch-all" based emails exactly like this!
EDIT: See note below - this is for the Add Login dialog where it detects the domain you're signup for. (My initial tests were in the generic Generator function, which don't have the full functionality.)
> Website Name is limited to the Add/Edit screen on browser and desktop as it requires knowledge of the login's URI, in other locations the username generator will default to Random.
Fastmail + 1Password have quite a similar feature, the difference being that you can control it all from your normal email address (the feature is built into fastmail, using JMAP, so that 1password basically calls out to FM and implements a few API calls to generate a random secret email.)
Worse, I have used services where they changed the email validation code years after setting up my account and then I could no longer log in because my email address had a + in it. So I don't do this anymore.
Sneakemail, which lets you do it with hyphens, works pretty well, though.
I am unclear of the benefits of doing this as opposed to just using the password generator prompt and using it for a username. Seems fairly pointless as a feature to me.
In addition, in the extension I can't use pass-phrase like generated responses for my username but I can for the password?
For one, its built right into the UI so you can generate a name and save it in the bitwarden username field in the same motion.
Also, the password generator isn't configured to work for the use cases here (adding your email or a catchall, using less characters, no special characters, etc.). That way you can still sign up for accounts that require email verifications.
Have you done a signup where the email address is used as a username?
Or email address is required? The email address username generation is useful for those cases (assuming you use unique email addresses for each signup.)
I agree, right now I mostly use <servicename>@<mycatchalldomain>.com as usernames, that way I can directly see when something arrives at <servicename>@ that should not. I don't see the benefit of "randomizing" the <servicename> part.
I'm not a security expert, but possibly being able to change my username in addition to changing my password due to safety concerns gives an extra layer of security.
Interesting feature, but it looks like this has some rough edges. I saw this option a little while ago today from the browser extension (latest version of Firefox on Windows) when I created a new item and wanted to generate a password for it (I didn't want to generate the username since it was assigned by the service), but it wasn't possible to select either of the radio buttons to choose between username and password and the regenerate button also didn't seem to work. I didn't have time to dig in further, and so I chose to generate a passphrase and use that.
Fastmail can generate [email protected] email addresses that go straight to your mailbox. Really useful for throaway accounts and low value services. It apparently has an integration with 1password but I can't vouch for it as I haven't used it.
I think this is useful for any service, not just throwaway accounts or "low value" services. It provides another layer of anonymity, and makes credential stuffing impossible as a hacker would have no idea that two auto-generated emails address belong to the same person.
1password integration is nice, because you don't have to open up Fastmail to generate a new masked email.
I just use catch-all with custom domain, though. That way, I'm not tied to a particular provider, and I can make new "masked emails" on the fly however I want (usually, just using the name of the app/website I'm signing up for). The downside is that you loose the previously mentioned anonymity since a hacker could link your various addresses by domain name. But it's still way better than using the same email address everywhere!
I'll be that guy: don't knock it, it saves a whole pile of junk mail when companies leak (or sell) your details and you can just turn off that address.
Why use Plus Addressed Email?
Plus addressed emails allow you to filter your email for all the junk mail you get when signing up for a new service. Signing up for a service with the username [email protected] will still send emails to [email protected], but you can easily filter emails that include +rnok6xsh to prevent them from clogging up your inbox.
In this example, just make rnok6xsh your username and let spam filters do their job. Please stop embedding email addresses in usernames. It rubs GDPR and privacy in a bad way.
[+] [-] 8organicbits|3 years ago|reply
https://github.com/topics/username-search
I use different usernames per-site, but I tend to take a couple seconds to think of something (hopefully) clever.
[+] [-] logifail|3 years ago|reply
Do you also use a different email address on each site, or do all the unique usernames ultimately link back to one email?
[+] [-] kurthr|3 years ago|reply
I do wish this was easy and automated.
[+] [-] shaky-carrousel|3 years ago|reply
[+] [-] soheil|3 years ago|reply
[+] [-] mcjiggerlog|3 years ago|reply
LastPass's username generator is much better: https://www.lastpass.com/username-generator. With "lowercase" only and "Easy to say" turned on, the suggestions are really good. This is my go-to when I need a username, and that's as a Bitwarden user!
[+] [-] AdmiralAsshat|3 years ago|reply
I would think the purpose here would be that you would use unique aliases per service to limit your own risk in the event of a site breach. However, the vast majority of websites these days require a username and an email address. In which case, if I've got 50 unique usernames but they're all tied to a single email, how much am I really protecting myself if the email address gets included in the breach?
[+] [-] woojoo666|3 years ago|reply
[+] [-] slaymaker1907|3 years ago|reply
[+] [-] fybs|3 years ago|reply
[+] [-] tbassetto|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] dandare|3 years ago|reply
Large font, clear hierarchy, great use of color and font weight.
[+] [-] zitsarethecure|3 years ago|reply
[+] [-] vaylian|3 years ago|reply
[+] [-] jonaslejon|3 years ago|reply
if name == "boring_wozniak" /* Steve Wozniak is not boring */ { goto begin }
[+] [-] neogodless|3 years ago|reply
EDIT: See note below - this is for the Add Login dialog where it detects the domain you're signup for. (My initial tests were in the generic Generator function, which don't have the full functionality.)
> Website Name is limited to the Add/Edit screen on browser and desktop as it requires knowledge of the login's URI, in other locations the username generator will default to Random.
[+] [-] calvinmorrison|3 years ago|reply
Very cool, glad to see more people doing so!
[+] [-] lvass|3 years ago|reply
Anyone knows which providers do this?
>e.g. [email protected])
If this pattern becomes popular enough, it won't take long until services strip out the + part entirely.
[+] [-] michaelhoffman|3 years ago|reply
Sneakemail, which lets you do it with hyphens, works pretty well, though.
[+] [-] up6w6|3 years ago|reply
[1] https://www.reddit.com/r/Bitwarden/comments/ucd9d2/new_exten...
[+] [-] nannal|3 years ago|reply
In addition, in the extension I can't use pass-phrase like generated responses for my username but I can for the password?
[+] [-] purerandomness|3 years ago|reply
2) You typically want your user name to be recognizable by the community you're registering at.
[+] [-] crenwick|3 years ago|reply
Also, the password generator isn't configured to work for the use cases here (adding your email or a catchall, using less characters, no special characters, etc.). That way you can still sign up for accounts that require email verifications.
[+] [-] neogodless|3 years ago|reply
Or email address is required? The email address username generation is useful for those cases (assuming you use unique email addresses for each signup.)
[+] [-] growt|3 years ago|reply
[+] [-] gpa|3 years ago|reply
[+] [-] AnonHP|3 years ago|reply
[+] [-] ghostly_s|3 years ago|reply
[+] [-] plaguepilled|3 years ago|reply
[+] [-] mihau|3 years ago|reply
[+] [-] pedro2|3 years ago|reply
[+] [-] wcrossbow|3 years ago|reply
[+] [-] dempedempe|3 years ago|reply
1password integration is nice, because you don't have to open up Fastmail to generate a new masked email.
I just use catch-all with custom domain, though. That way, I'm not tied to a particular provider, and I can make new "masked emails" on the fly however I want (usually, just using the name of the app/website I'm signing up for). The downside is that you loose the previously mentioned anonymity since a hacker could link your various addresses by domain name. But it's still way better than using the same email address everywhere!
[+] [-] solidr53|3 years ago|reply
It wont forward to your inbox though and is only suited for temporary usage.
[+] [-] frou_dh|3 years ago|reply
Answer: Don't worry, they'll tell you about it.
[+] [-] dspillett|3 years ago|reply
[+] [-] account-5|3 years ago|reply
[+] [-] 1970-01-01|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]