P@s$w0rdz: Recovery & Usernames

Recovery | Usernames

reset
"Hotmail Password Reset" by sharonrosen
is licensed under CC BY-SA 2.0

Recovery: Email & Phone Contacts; Backup Codes

  • Provide accounts with a 'semi-permanent' (non-ISP-dependent)
    email contact address, e.g., icloud.com, gmail.com.
    An ISP address can disappear if you move and/or change ISPs.
  • Optional: provide phone# (voice / text) as a backup contact,
    and perhaps 2nd email. Update mailing address?
  • Facebook Doesn't Need Your Real Phone Number LH; 1/26/2021
  • Your primary email account, used as contact,
    often as a username for other accounts, is important to protect
    -- it's often used for receiving password resets for those other accounts!
  • Supply a second (backup, semi-permanent) email address
    to receive notifications about unexpected logins or password changes
    to your email accounts, e.g., primary: gmail & alternate: yahoo;
    primary: icloud & alternate: outlook; etc.
  • Otherwise, if you forgot your primary email password, how could you
    access that account, especially any password reset emails?
  • Since this email account is a "backdoor" into many other accounts,
    be sure to access your accounts with encryption, e.g., SSL/TLS,
    set all your devices to lock when not in use, and require a strong password to unlock each device.
  • How to (hopefully) restore your Gmail account if you lose access Verge; 8/4/2021
  • If a site provides backup/recovery codes, store in PM, e.g., Notes field
    -- this is esp. important if password reset or MFA not avail.
  • Some services provide legacy & emergency contacts, e.g.,
  • Facebook: Trusted Contact, Legacy Contact
  • Google: inactive account manager
  • 1Password: (family) emergency kit
  • Bitwarden: Emergency Access
  • 'Semi-permanent' email addresses probably won't disappear, even thru corporate mergers,
    e.g., icloud.com, gmail.com, yahoo.com, outlook.com, aol.com, pobox.com
    -- and other mail / forwarding providers (many free)
  • A 'temporary' email address could disappear when you change jobs, finish school,
    or change ISPs (by move, necessity or choice),
    e.g., your-job.com/.gov/.org/.edu; ashlandhome.net, charter.net, spectrum.net, mind.net,
    comcast.net, att.net, ... -- maybe this is less likely for Rogue Valley retirees?
  • After a temporary email account is gone, could you easily access any account later
    that used that old email as a username or contact?
  • Why ISP email services are terrible, and what to use instead
    Apple's iCloud, Google's Gmail, Microsoft's Outlook.com; paid services; ApIn; 5/12/2023
  • Why You Should Sign Into All of Your Accounts Every Now and Then
    inactive accounts -- inaccessible due to invalid email address;
    account deletion -- policies vary: 6 mo. - 2 years; LH; 11/30/2021
  • Be Safer on the Internet: Email
too many accts
"Password" (translation):
"Let's see what's cooking on Facebook.
What was my password -- the Gmail one?
Which was not the one I put on Twitter?
Maybe if I go to Myspace I'll get it back.
It wouldn't let me in. and Blogger? Waiting.
Has my Flickr account expired?
The horror. The horror. I am scattered in chunks
all over the network. and I can't access myself!""
by LuChOeDu is licensed under CC BY-NC-SA 2.0

Usernames

  • Create a unique username -- if site doesn't require it to be an email address
    or phone number; be sure that PM records it
  • If site requires an email address as username, use an alias if possible [below].
  • If you can't, use stronger passwords, better secret answers, MFA!
  • A unique username is more private
    -- more difficult for marketers or hackers to identify you by collating data fragments;
    a unique email address might suggest who leaked / sold it to spammers and hackers.
  • It's more secure -- if hackers found that (unencrypted) username in a data breach,
    they could access only that site (assuming they'd discovered the password),
    but not other sites (with different usernames).
  • An email address is less desirable as a username since:
  • some sites don't allow you to change it later
    -- problematic if a temporary email was provided initially;
  • an email address is not unique (typically) -- so, it's a little less secure/private:
    possibility of credential stuffing by hackers & cross-site tracking by marketers.
  • If you must provide an email address as a username, preferably use:
  • 1. aliased email address; some email providers support permanent aliases,
    which all route to a primary email address, e.g.,
    jsmithMail@icloud.com, jsmithList@icloud.com, jsmithTemp@icloud.com,. => jsmith@icloud.com
  • Add and manage email aliases for iCloud Mail on iCloud.com -- up to 3 free aliases
  • 2. several services generate random email addresses linked to your underlying email:
  • Apple: Hide My Email create unique, random email addresses to use with apps, websites;
    it's built into "Sign in with Apple" (SSO-like service) and iCloud+ (paid plan)
  • Use 1Password to create and manage Masked Emails in Fastmail
    unique email aliases for logins, much like Apple's iCloud+ Hide My Email function
    but integrated w/ 1PW, e.g., when creating new account entries.
  • Currently requires a fastmail.com account ($2.50/mo.);
    1password.com (your account): Integrations > Masked Email > Fastmail: (connect to FM account)
  • Firefox Relay: generate unique email aliases;
    requires Firefox account (free) and use of Firefox browser and Private Relay extension;
    some sites may not accept subdomains in address, e.g., @relay.firefox.com;
    can't reply anonymously using that address; limit on size of forwarded attachments
  • The Best Ways to Hide Your Email Address
    Gmail: add . anywhere, or +label before @;
    Yahoo: create up to 500 aliases w/ text appended;
    Outlook: create up to 10 aliases; Apple: Hide My Email;
    Firefox: Relay; 5 free aliases; Premium plan for unlimited;
    DuckDuckGo: Email Protection; Fastmail + 1Password: Masked Email;
    others: Protonmail, SimpleLogin, Addy.io; Giz; 11/23/2021
  • 3. semi-permanent email address; e.g., gmail.com, icloud.com, etc.; pobox.com forwards to another address;
    in addition some services allow "+" (or other punctuation) for extended addresses,
    which route to main email, e.g., jsmith+facebook@gmail.com, ... => jsmith@gmail.com;
    this may provide some uniqueness, and spam filtering;
    however, some sites might limit punctuation in email usernames, e.g., allow only . and @.
  • 4. temporary (ISP) email address (as last resort),
    e.g., if you switch ISPs later, will you still be able to access that account and/or change its username?
    note: for single-use accounts or email list signup, some temporary email aliases might be ok: Using Disposable Contact Info,
    Disposable Email Addresses: Sign in with Apple, 10 Minute Mail; Guerrilla Mail; Burner Mail; Firefox Private Relay;
    Disposable Cell Numbers: Burner