username: best login security practice?

barmadrid · 11 Jan 2021, 10:30 AM

Hi,

I just signed up to Fastmail and added my domains and aliases. Everything is great already!

I use different alias (under my custom domain) for each online service/account I sign-up for. Example: (walmart@myname.com), (facebook@myname.com), etc.

Currently my username (login) is: myname@fastmail.com and have my custom domain and aliases created under it

Just wondering, if it's best (for security/privacy purposes) to switch the username to something like myname@myname.com instead?

For you all using Fastmail with custom domains, what do you use for username (login)?

Thanks in advance!

NumberSix · 11 Jan 2021, 11:11 AM

Welcome to Fastmail and the forum.

I don't think that changing your login address to use your private domain will necessarily do anything to improve your security, but would be interested to hear from anyone who disagrees.

I have a lot of different addresses that I use (private domains, employer, university, etc and also FM aliases -- probably similarly to most of us here), but I don't use my login username for actual email communications, so I've chosen as my login name (@fastmail.com) a sorta randomish string of letters that's easy to type. I have thought that not having my real name (or anything else that can be traced to me in the real world) as part of my login credentials helps to improve the security of my email (makes it hard for someone to get in by guessing at creds).

As for spinning off individual addresses for each of the web properties you deal with, that's an excellent idea, one of the things I love best about FM and one of the reasons I will likely stay with them forever. I haven't found any other ESP that does this (at least, in-house). I make my individual addresses a little more (pseudo)secure by rot13'ing the left-side strings: thus "walmart" becomes "jnyzneg". It's more convenient if you can memorize the rot13 translation table

The weakness of this scheme, for me, is that I'm using an FM domain alias for all of them rather than a private domain, so that if I wanted to leave FM for another provider, I'm much less mobile. But it's not something that keeps me up at night.

https://en.wikipedia.org/wiki/ROT13

n5bb · 11 Jan 2021, 01:50 PM

Welcome to EMD and also to Fastmail!

I have had a Fastmail account hosting my own personal domain since 2004 (17 years), the same year I joined the EMD forum. Fastmail has grown into a very solid company with a great service in that interval.

I never use my login address for my main Fastmail account for email. Instead I use aliases and subdomain addresses at those aliases, both at Fastmail domains and my own personal domain. In the examples below, let's assume that your Fastmail login address was jcitizen@fastmail.com. I'm sorry that my post is so long and complex, but I wanted to give you an idea of how you can use subdomain addressing so you don't need to create a new alias for every company you interact with.

You can create email aliases at many Fastmail domains. For example, you could use example@sent.com, where "sent.com" is one of the Fastmail-owned domains you can use. You can also create aliases at the domain(s) you own which are hosted at Fastmail.
It's much easier when signing up at businesses or organizations who will send you messages to use subdomain addressing. If you control the alias "example@sent.com", then you can use any number of subdomain addresses such as "alpha@example.sent.com" or "beta@example.sent.com" without explicitly creating an alias for that complete address. You just create the alias "example@sent.com" and anything@example.sent.com is a valid address which will be delivered to your account. The alias name becomes the subdomain after the @, and is separated from the main domain name by a period/full-stop symbol (.).
During delivery at Fastmail, the subdomain address is by default expanded to a plus address before delivery is made. So "alpha@example.sent.com" is changed to "example+alpha@sent.com", which by default causes the message to target your "alpha" folder if it exists, and your Inbox folder if that specific folder does not exist, assuming that the alias table target is your Inbox. You will see in the full headers that the X-Delivered-To header is "alpha@example.sent.com" and the X-Resolved-To header is "jcitizen+alpha@fastmail.com", which causes the message to by default be filed into your "alpha" folder (if it exists).
But you can change this behavior by changing the alias target (in the alias setup page). If the "example" alias target is changed to "jcitizen+*@fastmail.com", the wildcard * causes the X-Resolved-To header to become "jcitizen+example.alpha@fastmail.com", which leads to the message being filed into the "alpha" subfolder of the top-level "example" folder. The full-stop period "." character denotes a subfolder. You can also add more than one alias target so that messages sent to that address are delivered to more than one folder. The alias resolution happens before spam processing.
So let's say that you have accounts at various financial institutions and you want messages from those companies to always be filed into the "bank" folder (and possibly subfolders of bank for specific companies). You could create the alias "bank" at your personal domain, and use as the target for that alias "jcitizen+*@fastmail.com" on the alias setup page. Here is how messages would be filed from various companies:
- Messages sent to "bank@yourdomain.com" would be filed into the "bank" folder.
- Messages sent to "alpha@bank.yourdomain.com" would be filed into the "alpha" subfolder of the "bank" folder if that subfolder exists. Otherwise they would be filed into the "bank" folder if the subfolder does not exist.
- You could set up several companies in this fashion. You don't have to create a new alias for each one -- only the one alias "bank" is needed. If the proper subfolder does not exist, the message will be filed in the main "bank" folder.
- Capitalization is ignored in email addresses and folder names during automatic email delivery processing.
See the Fastmail help page about subdomain addressing at: https://www.fastmail.com/help/receive/addressing.html
When I say that the emails will be automatically filed into the folder as described, this really means that at the first processing stage (before your rules are executed, the X-Resolved-To header is used to target a specific delivery folder rather than the default Inbox. The rules are then executed, and rules can over-ride the target folder described above.
Even if you don't want to create a specific subfolder for each company, using subdomain addressing still makes things much easier for you. The subdomain (alias) name can be something which would be unlikely to be guessed by a spammer, and you can add the company name before the @ when you sign up (anything@bank.yourdomain.com) and won't need to create a new alias. You just create one alias for the subdomain (such as "bank" in my example).
If there is a security breach, you can discover this because you only gave that specific subdomain address (alpha@bank.yourdomain.com) to that one company. If the address is used by anyone else, it means that the company has sold their address list to another company or a spammer/scammer has stolen it.

Bill

ChinaLamb · 11 Jan 2021, 11:43 PM

My experience is that Fastmail.com logins tend to get a LOT of phishing emails -- at least they did at one point.

Choosing an alternate Fastmail domain is a very strong recommendation.

/cl

somdcomputerguy · 12 Jan 2021, 12:29 AM

Quote:

Originally Posted by ChinaLamb

My experience is that Fastmail.com logins tend to get a LOT of phishing emails -- at least they did at one point.

Choosing an alternate Fastmail domain is a very strong recommendation.

/cl

Fastmail (and some other but not enough other services..) make it easy to change that login userID if need be.

Goto Admin | Users & Aliases to do so.

- Bruce

barmadrid · 12 Jan 2021, 02:54 AM

Thanks Bill for your answer. Learned a lot. Appreciated!

Quote:

Originally Posted by n5bb

you can use subdomain addressing so you don't need to create a new alias for every company you interact with.

Is there any privacy/security advantage of using subdomians for email sign-ups compared to just company1@mydomain.com?

Just want to confirm so I can change my email at such companies from direct alias at domain to subdomain!

n5bb · 12 Jan 2021, 03:38 AM

Quote:

Originally Posted by barmadrid

l...Is there any privacy/security advantage of using subdomians for email sign-ups compared to just company1@mydomain.com?...

I don't think there are any significant privacy or security issues related to using an alias as opposed to a subdomain at an alias.

If you are using the address for a service which you might want to block in the future or which you think might sell your address to spammers, there is an advantage to using a specific alias at your domain. This is because you can easily disable that alias at the Fastmail alias screen. If you experience a lot of spam to random aliases at your domain, you might want to not use the wildcard * alias (which allows delivery of any alias to your account, even if it's not enabled with a specific alias).

But for general use with businesses and web services, I think it's much easier to use subdomain aliases at one or more aliases at the domain. You can add them easily on the fly without needing to add the alias at the Fastmail setup screen. If you start to get spam at that subdomain address and want to disable it, you can always use a rule.

The Fastmail spam filter is pretty good. Read about Your personal spam database at:
https://www.fastmail.com/help/receiv....html#settings
This is a Bayes filter which you can train. It only starts acting on new messages after you have reported at least 200 messages as spam and 200 as non-spam. You can set up folders (or labels) which automatically mark messages as non-spam to make this easier. You can also block specific sender addresses or domains in the Settings>Filters & Rules screen at the top.

Bill

barmadrid · 12 Jan 2021, 04:16 AM

Excellent! Thanks Bill and everyone else

ChinaLamb · 12 Jan 2021, 04:23 AM

Only question I would have, is if that username could encounter problems if you lose rights to the domain...

That is, can you still log into fastmail, and get support, if you lose the domain somehow, or if the domain isn't working?

I've preferred keeping a WHOLLY separate login to Fastmail, so that no one, who has my email address, knows what email I use (unless they get an email from me and check the headers)...

/cl

SideshowBob · 12 Jan 2021, 05:42 AM

Quote:

Originally Posted by barmadrid

myname@myname.com

Personally I wouldn't use any kind of address where the LHS is easily guessable from the domain name.

ChinaLamb · 12 Jan 2021, 07:22 AM

Quote:

Originally Posted by SideshowBob

Personally I wouldn't use any kind of address where the LHS is easily guessable from the domain name.

I've made several attempts to figure out what LHS is, even a few google searches... I'm assuming you are not referring to LaVergne High School, or a Chrystler LHS... Other than that, I'm stumped.

/cl

xyzzy · 12 Jan 2021, 07:54 AM

Quote:

Originally Posted by ChinaLamb

I've made several attempts to figure out what LHS is, even a few google searches... I'm assuming you are not referring to LaVergne High School, or a Chrystler LHS... Other than that, I'm stumped./cl

I parsed that as "left hand side" as in the left hand side of the an email address "@", i.e., the "local part" of an email address.

Terry · 12 Jan 2021, 11:55 AM

OP you can change your login name in your account section if you are not happy with it...

Coilavana · 31 Aug 2021, 11:37 PM

I can't entirely agree that there are no significant privacy or security issues related to using an alias instead of a subdomain at an alias. On all the platforms, sites, etc., which you use, you should be very secure about how do you use your information. I had some problems with one website, and they have stolen my personal information. Many unknown people called me, and they were trying to get into my emails and many other things. That's why you do the correct thing to be interested in security. On a site is a lot of helpful information that will help you now and in the future.

_______________________________
the link: https://jealouscomputers.com/cyber-s...tect-yourself/

**ReuvenNY** · 1 Sep 2021, 03:33 AM

Coilavana, if you thinking of spamming - DON'T. The first offense is a reason for being banned from this forum.

11 Jan 2021, 10:30 AM	#1
barmadrid Junior Member Join Date: Jan 2021 Posts: 6	username: best login security practice? Hi, I just signed up to Fastmail and added my domains and aliases. Everything is great already! I use different alias (under my custom domain) for each online service/account I sign-up for. Example: (walmart@myname.com), (facebook@myname.com), etc. Currently my username (login) is: myname@fastmail.com and have my custom domain and aliases created under it Just wondering, if it's best (for security/privacy purposes) to switch the username to something like myname@myname.com instead? For you all using Fastmail with custom domains, what do you use for username (login)? Thanks in advance!

11 Jan 2021, 01:50 PM	#3
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,926	Using subdomain addressing to simplify the use of many unique addresses Welcome to EMD and also to Fastmail! I have had a Fastmail account hosting my own personal domain since 2004 (17 years), the same year I joined the EMD forum. Fastmail has grown into a very solid company with a great service in that interval. I never use my login address for my main Fastmail account for email. Instead I use aliases and subdomain addresses at those aliases, both at Fastmail domains and my own personal domain. In the examples below, let's assume that your Fastmail login address was jcitizen@fastmail.com. I'm sorry that my post is so long and complex, but I wanted to give you an idea of how you can use subdomain addressing so you don't need to create a new alias for every company you interact with. You can create email aliases at many Fastmail domains. For example, you could use example@sent.com, where "sent.com" is one of the Fastmail-owned domains you can use. You can also create aliases at the domain(s) you own which are hosted at Fastmail. It's much easier when signing up at businesses or organizations who will send you messages to use subdomain addressing. If you control the alias "example@sent.com", then you can use any number of subdomain addresses such as "alpha@example.sent.com" or "beta@example.sent.com" without explicitly creating an alias for that complete address. You just create the alias "example@sent.com" and anything@example.sent.com is a valid address which will be delivered to your account. The alias name becomes the subdomain after the @, and is separated from the main domain name by a period/full-stop symbol (.). During delivery at Fastmail, the subdomain address is by default expanded to a plus address before delivery is made. So "alpha@example.sent.com" is changed to "example+alpha@sent.com", which by default causes the message to target your "alpha" folder if it exists, and your Inbox folder if that specific folder does not exist, assuming that the alias table target is your Inbox. You will see in the full headers that the X-Delivered-To header is "alpha@example.sent.com" and the X-Resolved-To header is "jcitizen+alpha@fastmail.com", which causes the message to by default be filed into your "alpha" folder (if it exists). But you can change this behavior by changing the alias target (in the alias setup page). If the "example" alias target is changed to "jcitizen+@fastmail.com", the wildcard causes the X-Resolved-To header to become "jcitizen+example.alpha@fastmail.com", which leads to the message being filed into the "alpha" subfolder of the top-level "example" folder. The full-stop period "." character denotes a subfolder. You can also add more than one alias target so that messages sent to that address are delivered to more than one folder. The alias resolution happens before spam processing. So let's say that you have accounts at various financial institutions and you want messages from those companies to always be filed into the "bank" folder (and possibly subfolders of bank for specific companies). You could create the alias "bank" at your personal domain, and use as the target for that alias "jcitizen+@fastmail.com" on the alias setup page. Here is how messages would be filed from various companies: Messages sent to "bank@yourdomain.com" would be filed into the "bank" folder. Messages sent to "alpha@bank.yourdomain.com" would be filed into the "alpha" subfolder of the "bank" folder if that subfolder exists. Otherwise they would be filed into the "bank" folder if the subfolder does not exist. You could set up several companies in this fashion. You don't have to create a new alias for each one -- only the one alias "bank" is needed. If the proper subfolder does not exist, the message will be filed in the main "bank" folder. Capitalization is ignored in email addresses and folder names during automatic email delivery processing. See the Fastmail help page about subdomain addressing at: https://www.fastmail.com/help/receive/addressing.html When I say that the emails will be automatically filed into the folder as described, this really means that at the first processing stage (before your rules are executed, the X-Resolved-To* header is used to target a specific delivery folder rather than the default Inbox. The rules are then executed, and rules can over-ride the target folder described above. Even if you don't want to create a specific subfolder for each company, using subdomain addressing still makes things much easier for you. The subdomain (alias) name can be something which would be unlikely to be guessed by a spammer, and you can add the company name before the @ when you sign up (anything@bank.yourdomain.com) and won't need to create a new alias. You just create one alias for the subdomain (such as "bank" in my example). If there is a security breach, you can discover this because you only gave that specific subdomain address (alpha@bank.yourdomain.com) to that one company. If the address is used by anyone else, it means that the company has sold their address list to another company or a spammer/scammer has stolen it. Bill

31 Aug 2021, 11:37 PM	#14
Coilavana Junior Member Join Date: Aug 2021 Posts: 1	I can't entirely agree that there are no significant privacy or security issues related to using an alias instead of a subdomain at an alias. On all the platforms, sites, etc., which you use, you should be very secure about how do you use your information. I had some problems with one website, and they have stolen my personal information. Many unknown people called me, and they were trying to get into my emails and many other things. That's why you do the correct thing to be interested in security. On a site is a lot of helpful information that will help you now and in the future. _______________________________ the link: https://jealouscomputers.com/cyber-s...tect-yourself/ Last edited by Coilavana : 5 Sep 2021 at 12:40 AM.

1 Sep 2021, 03:33 AM	#15
ReuvenNY Moderator Join Date: Mar 2002 Location: New York Posts: 4,259	Moderator's Comment Coilavana, if you thinking of spamming - DON'T. The first offense is a reason for being banned from this forum.

11 Jan 2021, 11:11 AM	#2
NumberSix Cornerstone of the Community Join Date: Jan 2003 Location: The Village Posts: 605	Welcome to Fastmail and the forum. I don't think that changing your login address to use your private domain will necessarily do anything to improve your security, but would be interested to hear from anyone who disagrees. I have a lot of different addresses that I use (private domains, employer, university, etc and also FM aliases -- probably similarly to most of us here), but I don't use my login username for actual email communications, so I've chosen as my login name (@fastmail.com) a sorta randomish string of letters that's easy to type. I have thought that not having my real name (or anything else that can be traced to me in the real world) as part of my login credentials helps to improve the security of my email (makes it hard for someone to get in by guessing at creds). As for spinning off individual addresses for each of the web properties you deal with, that's an excellent idea, one of the things I love best about FM and one of the reasons I will likely stay with them forever. I haven't found any other ESP that does this (at least, in-house). I make my individual addresses a little more (pseudo)secure by rot13'ing the left-side strings: thus "walmart" becomes "jnyzneg". It's more convenient if you can memorize the rot13 translation table The weakness of this scheme, for me, is that I'm using an FM domain alias for all of them rather than a private domain, so that if I wanted to leave FM for another provider, I'm much less mobile. But it's not something that keeps me up at night. https://en.wikipedia.org/wiki/ROT13

11 Jan 2021, 11:43 PM	#4
ChinaLamb The "e" in e-mail Join Date: Dec 2004 Location: a virtually impossible but finitely improbable position Posts: 2,320	My experience is that Fastmail.com logins tend to get a LOT of phishing emails -- at least they did at one point. Choosing an alternate Fastmail domain is a very strong recommendation. /cl

12 Jan 2021, 04:16 AM	#8
barmadrid Junior Member Join Date: Jan 2021 Posts: 6	Excellent! Thanks Bill and everyone else

12 Jan 2021, 04:23 AM	#9
ChinaLamb The "e" in e-mail Join Date: Dec 2004 Location: a virtually impossible but finitely improbable position Posts: 2,320	Only question I would have, is if that username could encounter problems if you lose rights to the domain... That is, can you still log into fastmail, and get support, if you lose the domain somehow, or if the domain isn't working? I've preferred keeping a WHOLLY separate login to Fastmail, so that no one, who has my email address, knows what email I use (unless they get an email from me and check the headers)... /cl

12 Jan 2021, 11:55 AM	#13
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,013	OP you can change your login name in your account section if you are not happy with it...