My email address is literally registered on dozens of websites. I use a different completely random password, generated by a password manager, on every one of those sites. How would I know which website and which password was compromised based on this message?
Here’s a neat trick that works with some providers: you can include a + sign and an extra string of characters and it will still be delivered to the same address. Example:
user083+some-online-shop@provider.net will receive the mail for user083@provider.net. So you can register with a different email address everywhere yet it all goes to the same account. If your account gets leaked or breached you’ll know where it happened thanks to the extra information behind the +.
Yeah I know about that trick. I’ve run into problems using that in the past because the + notation isn’t universally supported, and also some companies sell their customer lists to other companies. I forget the specific details because it happened years ago now, but I found one of my + addresses signed up to a mailing list I didn’t want to be on. The form used to unsubscribe from that list considered the + an invalid character, so I couldn’t unsubscribe. As I recall it took a week or so of emails to various contacts at that company to get me unsubscribed.
Besides, it wouldn’t help at all in this particular case. Look at the screenshot. It’s redacting everything in the email address before the @, so I still wouldn’t know which one they are referring to.
You can narrow it down by length. Not perfect but it’s a start. Unless the *****s are always the same length like in some password fields. Hard to tell from the message.
My email address is literally registered on dozens of websites. I use a different completely random password, generated by a password manager, on every one of those sites. How would I know which website and which password was compromised based on this message?
Here’s a neat trick that works with some providers: you can include a + sign and an extra string of characters and it will still be delivered to the same address. Example:
user083+some-online-shop@provider.net
will receive the mail foruser083@provider.net
. So you can register with a different email address everywhere yet it all goes to the same account. If your account gets leaked or breached you’ll know where it happened thanks to the extra information behind the +.Yeah I know about that trick. I’ve run into problems using that in the past because the + notation isn’t universally supported, and also some companies sell their customer lists to other companies. I forget the specific details because it happened years ago now, but I found one of my + addresses signed up to a mailing list I didn’t want to be on. The form used to unsubscribe from that list considered the + an invalid character, so I couldn’t unsubscribe. As I recall it took a week or so of emails to various contacts at that company to get me unsubscribed.
Besides, it wouldn’t help at all in this particular case. Look at the screenshot. It’s redacting everything in the email address before the @, so I still wouldn’t know which one they are referring to.
But they hide everything before the @ so how does that help?
You can narrow it down by length. Not perfect but it’s a start. Unless the *****s are always the same length like in some password fields. Hard to tell from the message.
It’s not a good method is it? It relies on others not being really stupid
Oh hay Lets just make they reacted paid rise same length render tone, since that is real really easy.