Comments on: Using Tagged Email Addresses for Fun and Profit

By: Master of your mailbox: an email alias for every site you leave your address

Master of your mailbox: an email alias for every site you leave your address — Tue, 09 Oct 2007 17:37:30 +0000

[…] I know, it hasn’t ever happened to me (why would anyone do that?) but if you’re careful as Michael Boyd Clark is, you might use a something-cryptographic-of-the-domainname-you-are-at@yourdomain.com instead […]

By: Michael Clark

Michael Clark — Fri, 13 Apr 2007 12:08:07 +0000

Well, the “password” above is actually more of a salt, to make the hash more difficult for an attacker to recreate. You could easily use your name as the salt (what I called the password), and the domain name alone to feed into the script.

By: Seth

Seth — Fri, 13 Apr 2007 09:53:24 +0000

Btw. if you left the time component out, you’d better pick a damn strong password indeed.

Otherwise, any of your generated email-addresses would be very vulnerable to dictionary attacks (given the algorithm is published). Also, guessing that people will reuse their favorite password for different boxes, this implies that i can repeat the generator for different sites and probably get a working combination of email&password without any effot.

Now I know (1). that *you* are smart enough to pickle the script with something undeterministic and preferably unpublished (2) as well as to use unique, strong passwords all the time, but

your visitors will probably just copy the script as is and stick to their not-so-safe favorite password. Worth a warning, i think

By: Tim Fabian

Tim Fabian — Wed, 07 Mar 2007 11:21:57 +0000

how do you implement that because I’m unsure how to, and it would be useful to know how to seeing as when I unsubscribed at one website a few years ago I started getting about 100 spam mails a day in the email account. Admittedly I only use it to sign up for things, but before that it had gotten about 5 spam mails and I had it for about 6 months by then but the sites privacy policy claims that they will never sell or pass on in any way a persons email.

By: Michael Clark

Michael Clark — Wed, 28 Feb 2007 20:41:38 +0000

Whoops! I do echo the date out into the logfile. And it would be trivial to add it into the hash. But then you’re right, you can’t recreate the hash if you forget the date. I’ve fixed my script above. Thanks David, for pointing that out to me.

By: David Leadbeater

David Leadbeater — Wed, 28 Feb 2007 20:03:30 +0000

I’ve implemented the same thing in a bookmarklet, this has the advantage of being one click in my browser (it fills in the currently selected form field on the page). Unfortunately it doesn’t use a decent one-way hash (although I think it should be possible to fit MD5 in there, if a little tricky) – hence I don’t want to share the code 😉

Also I notice your script doesn’t actually make use of the date, is this deliberate? – I don’t use it as this means the address is repeatable per site, I can simply click the same button and not have to remember if I’ve previously used an address on that site.