Email field for disposable email addresses

blubbledy2
blubbledy2
Community Member

Why does the standard 1Password screen not contain a field for email address? Most registrations require it.
Good security practice is to use a unique password for every account; better practice is to use a unique email address.
For example, one can use disposable email addresses
https://en.wikipedia.org/wiki/Disposable_email_address
whether generated by the email provider or self-created using a plus subaddress, e.g. billthecat+randomstring@gmail.com.
A dedicated email field would serve as a subtle reminder, and save me from having to keep entering the label.

Update: Ironically, this discussion-forum software seems not to accept email subaddresses. I registered and waited in vain for a confirmation email, so I had to re-register under a normal email address.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Vee_AG
    Vee_AG
    1Password Alumni

    Hi @blubbledy2,

    Thanks for reaching out to us here in the 1Password support forums!

    Why does the standard 1Password screen not contain a field for email address? Most registrations require it.

    When you create a new Login item from scratch in the main 1Password app, there is a "username" field which is usually where your email address goes, as shown here (with demo data):

    Many websites use your email address as your username, but many others don't, so some of your items may look more like this:

    However... if you allow the 1Password browser extension to automatically save the Login item for you, rather than creating it yourself from scratch in the main app, that information is captured automatically, which I believe will make it easier for you. This new video we've made shows exactly how to do that:

    https://www.youtube.com/watch?v=JQzbn4SCiZg

    You haven't specified a version or platform so I used examples from 1Password 6 for Mac, but let me know if you have platform-specific concerns and those can be addressed as well. I hope this helps! :)

  • blubbledy2
    blubbledy2
    Community Member

    Many websites use your email address as your username, but many others don't

    Yes, like this one that we're posting in. To register here one must enter three things:
    1. User name
    2. Password
    3. Email address

    I suggest dedicated fields for all three. The reason is not mere convenience, but support of best security practices. Please bounce it off the product manager. I understand that there are trade-offs, e.g. you want minimum fields, but you probably have some data on what the most common custom fields are, and, in your line of business, you certainly know best security practices.

    BTW, when I registered here with a subaddress, your system accepted it, but then I did not receive the confirmation email. I'd look into that as well.

  • tonydow
    tonydow
    Community Member

    @blubbledy2 You can use a custom field for adding the email address which gives you username, password and email address.

  • blubbledy2
    blubbledy2
    Community Member

    That is of course what I already do. I think you've got the message, but it sounds like the feature is not often requested. Being the recent victim of identity theft I'm more motivated than most to take extra precautions. Still, it does seem odd that a password manager, whose raison d'être is enabling unique login details, would not also actively support unique DEAs.

  • Vee_AG
    Vee_AG
    1Password Alumni

    Hi @blubbledy2,

    Thank you for clarifying what you meant. I understand much better what you're asking about now.

    It's true, to initially register on this forum (and many other websites), you need to enter an email address as well as a username and a password.

    However, you only need to do that once. After that, to sign in each time you visit, you only need to enter 2 things: your email address or username, and your password.

    It's this second case that 1Password's Login items are designed to help you with, because that's what you need to do more than once. So when you're saving your Login item for a site for the first time, you decide whether you want to enter your actual username (i.e. "blubbledy2") or your email address in the Username field. Once it's saved, you don't have to worry about it again. And you don't need 1Password to remember both because only one is required when you sign in.

    This may not be quite as helpful to you if you use a different email address on each site's registration page, but I thought it worth mentioning that 1Password can fill an email address from an Identity item into the registration form for you, which might save you some typing.

    I have gladly shared your request with the development team for their consideration, but it's quite an uncommon request so I can't promise it will get implemented. Meanwhile, you may just want to paste the email address in the Notes field if creating a custom field label is burdensome. That's what one of my teammates does. And it doesn't make a difference filling-wise because when you sign in, 1Password is only going to fill the username and password.

    The reason is not mere convenience, but support of best security practices.

    We don't necessarily agree that using unique email addresses is best practice. Here are some of our thoughts on the subject.

    you probably have some data on what the most common custom fields are

    Nope! Actually, we collect no information about what our users do with 1Password. It's a privacy thing.

    So I now know that 'email address' is your most common custom field, but only because you told me. And we do appreciate and take to heart everything our users share with us about their use cases. My job is both to convey your request to our developers and to help you get the most out of 1Password in its current state, as well as perhaps explain a bit about why 1Password is the way it is currently. I hope this helps!

    BTW, when I registered here with a subaddress, your system accepted it, but then I did not receive the confirmation email. I'd look into that as well.

    Thanks for reporting this! Sorry if this is a silly question, but did you also check your spam folder in case it got misrouted?

    ref: OPM-2676

  • blubbledy2
    blubbledy2
    Community Member

    The security issue is when an adversary gets access to your email account, he can can use the Forgot Password function of likely sites (e.g. Amazon, Apple) to reset your passwords and hijack your accounts. He can't do this if he doesn't know what email address you used to create the accounts. For most people, the email account provides the keys to the kingdom (as does a password manager), a single point of catastrophic failure.

    Yes, I checked my spam folder, and tried clicking the Resend link. When I created a new account (thus the 2 in this current one) with a normal email address, the confirmation email arrived immediately. Somewhere in the process your forum or email software don't support email subaddresses.

  • AGAlumB
    AGAlumB
    1Password Alumni

    The security issue is when an adversary gets access to your email account, he can can use the Forgot Password function of likely sites (e.g. Amazon, Apple) to reset your passwords and hijack your accounts. He can't do this if he doesn't know what email address you used to create the accounts. For most people, the email account provides the keys to the kingdom (as does a password manager), a single point of catastrophic failure.

    @blubbledy2: You're absolutely right. As you mention, an email account is a high-value target because in many cases it could be used to gain access to other accounts...which is why it's so important to use a unique, randomly generated password. That way no one will be able to guess it, and another compromised account's password won't be able to be used to get into it. And provided you don't give this insane password away, the "keys to the kingdom" are safe. :)

    Yes, I checked my spam folder, and tried clicking the Resend link. When I created a new account (thus the 2 in this current one) with a normal email address, the confirmation email arrived immediately. Somewhere in the process your forum or email software don't support email subaddresses.

    That just isn't true. It's going to be something with your email provider. I just signed up for another account using a "subaddress" to double-check, and I received the confirmation email immediately. If it helps, mine is a Google account, so perhaps it could be specific to the provider you're using.

    To register here one must enter three things:
    1. User name
    2. Password
    3. Email address
    I suggest dedicated fields for all three.

    We're probably not going to add another default field, since the purpose of these is to serve as a template for common logins — though it's something we can certainly consider in the future. However, very few sites use more than username/password, and adding additional fields that are always present and rarely used would be a waste of space and a source of confusion.

    You can use a custom field for adding the email address which gives you username, password and email address.

    While that's a great way to store information in 1Password for occasional access, it's much more useful (and easy) to save a login in the browser. Seriously, just let 1Password do the work! This will not only save the login credentials, but also the actual field IDs and other information about the form, which 1Password can use to fill the login in the future.

    Since they're a user construct, custom sections/fields cannot be filled, as 1Password doesn't know anything about their function. But using 1Password to save the login credentials in the first place will allow you to have both your unique email address saved in the login and for it to be filled by 1Password to login. I hope this helps. Be sure to let us know if you have any other questions! :)

  • blubbledy2
    blubbledy2
    Community Member

    It's going to be something with your email provider.
    I just signed up for another account using a "subaddress" to double-check, and I received the confirmation email immediately.
    If it helps, mine is a Google account

    Arrr. Yes, that was the problem. Google supports subaddresses, Yahoo does not.

    We're probably not going to add another default field, since the purpose of these is to serve as a template for common logins —
    though it's something we can certainly consider in the future. However, very few sites use more than username/password,

    We need to distinguish between logins and registrations. The former have two (setting aside the question of 2FA) key data elements, but the latter adds a third, email address, used in a non-standard login process, e.g. password reset. This is nearly universal.

    OK, you guys know your business, and what customers request. As Vee said, you can't peer into how all your customers are using custom fields, but you probably have some mechanism (surveys, focus groups) for gathering some kind of usage data. You've got my data point.

  • Vee_AG
    Vee_AG
    1Password Alumni
    edited March 2016

    Hi @blubbledy2,

    Arrr. Yes, that was the problem. Google supports subaddresses, Yahoo does not.

    I'm glad you were able to sort that out! That's good to know.

    We need to distinguish between logins and registrations.

    Yes. I attempted to do this in my previous reply, when I said "It's this second case that 1Password's Login items are designed to help you with, because that's what you need to do more than once."

    If I understand your most recent comment correctly, you want 1Password to have a Registration type of item in addition to the Login items? Why? You should only have to register for a site once, so what would be the point of saving that for filling later? There would be no way for 1Password to help you fill the registration form of a site you haven't programmed into it yet, except perhaps, as I also mentioned above, Identity items which can autofill your email address or other personal information.

    Going back to your original request:

    A dedicated email field would serve as a subtle reminder, and save me from having to keep entering the label.

    If you're using a different email address for each site and you're not using that email address as the username, you'll have to add it into the item manually either way. Whether you add it into the Notes field of the item or a custom field, you don't really have to enter the label. It will be obvious that it's an email address.

    I'm just not sure how helpful this change would actually be, either on a large scale or even to you in particular. Then again, it's not my call, and as I mentioned before, I have shared your request with the development team for their consideration. Thanks again for your feedback! :)

    ref: OPM-2676

This discussion has been closed.