On the Perils of Owning a Vanity Username

The Early Adopter's Dilemma

Sometime in 2004 (I was 21), a friend sent me the then-sought-after invite to Gmail (thanks Moshe!).

I distinctly remember that moment, running through the registration form. I had the notion that "this is big", and that this just may be my primary address for the years to come (9 years later I can say this is perfectly true). This made me pause and think about the user name.

Unfortunately for this purpose, both my first name and my last name are simple modern hebrew names, making my full name kind of common, and also taken as a user name by an earlier adopter.

My internet alias since I was around 14 has been 'jifa'1. Modern hebrew slang has adopted this word from Arabic (where it literally means 'sewers') to mean any substance or mixture that's disgustingly dirty or filthy - best translation I can think of now is 'goo'. Anyway, I thought it was funny when I was 14, and it just stuck (no pun intended).

Considering the possibility to use this address professionally in the future, I thanked Gmail for the 6-char-minimum limitation and avoided any /jifa\d{2}/2 variations.

I needed a new username. one that's going to represent me online for years, and still be easy enough to remember, decent enough to print on a CV, and simple enough to dictate to someone over the phone. it was a tough moment.

I started playing with the keyboard, tapping on sequences and reading them out loud. It was probably around 5 minutes of staring at the screen and several attempts until I figured out qwerty123456 was available. Rather long for a vanity address, I'll admit, but certainly memorable, and with a geeky twist. One I shall proudly own.

And there I was, staring at my new address, pretty happy with the result. Little did I know the ramifications of my choice at the time.

[1] originally 'GrEEn JiFa', later de-skidded for a university username.
[2] I find most /\w+\d{2,4}/ user names pretty ridiculous, people selecting random digits (or worse - the current year) to eternally represent them online.

"Hi qwerty!"

Fast forward half a decade. Imagine you're developing this new super cool web app, with awesome e-mails reporting every single action you perform on that site, and you're creating (several) test accounts, tapping away through the registration form, just to see how everything looks and feels, you know? When you're asked for an e-mail address you just type in qwerty or something and then it says it has to be a valid address, so you make up this funny looking email address (on Gmail, naturally) that nobody probably ever registered - qwerty123456.

Then I get this:

screenshot cut at the exact line to prevent permanent reader trauma

I get several of these, every. single. day.

Forget the occasional explaining I owe my wife ("I swear, honey! it's just spam for my vanity address"), it's just annoying. and unavoidable. here are samples from the past month or so:

"Hello adsjasdkhk,"

F.A.Q.

  • How come services don't verify new users' e-mail addresses? well, appearantly, some of them just don't, they blindly accept any address and start bombarding it with e-mails. Some try and ask the user nicely to validate the address, in fact making it worse for me - with constant e-mail reminders about not having verified the e-mail address associated with 'my' account.

  • Where are Gmail's spam filters? oh, they're working great - most of these are perfectly legitimate e-mails sent by legitimate services from legitimate servers, so Gmail really has no way of knowing I didn't actually request them. Flagging it as spam is just ruining the classification for everyone else.

  • Oh, well, simply unsubscribe then! well, that's not really a question, but here's the deal: some 'unsubscribe' links just take you to the account settings page, which, in turn, realizes I'm not logged in, and sends me to the front page to login with a username and password I don't have3. *facepalm*

  • What do you do, then? I use Gmail filters. For anything that doesn't let me unsubscribe peacefully, I have a specific enough "Skip Inbox, Delete it" filter. I currently have 122 active such filters.

[3] unless this happens.

Accounts with Benefits

Now imagine you're going about trying to hack legitimately bounty-hunt a service and you need an e-mail account that's disconnected from your identity, so you register a new random Gmail address, and when it asks you for a recovery address... - you get the idea.

I am currently the primary recovery address for a few dozen (possibly hacker) Gmail accounts. I am capable of resetting their passwords at any time4, and gain complete access to whatever they've been doing with the account. uhhm, not that I ever did it or anything.

[4] unless they have two-factor-auth enabled, but who does that for a throwaway?

恭喜!您已建立了全新的 Gmail 地址

TL;DR

This entire situation has put me in a unique point of view, to try and propose my two cents to web application developers:

  1. Always validate and verify your new user's e-mail address.
    • The proper way to do it is send one (and exactly one) e-mail, requesting validation of the e-mail address via a contained link. Extra points for being polite: "if you did not request this, we're sorry and we will not send you any more e-mails".
    • Add a 'disavow' link (Gmail & Microsoft do this) - this is a neat security feature to let the service know that you are not the owner of this account and prevent abuse.
  2. Allow one-click unsubscription.
    • This is proper netiquette. Have your unsubscription link include an identifying one-time token that allows an immediate removal from future communications. If you did not validate this e-mail address to begin with, do not ask me to log in to your service in order to remove it.
    • Have the link point to the company's easily verifiable public domain. If it's phishy (pun absolutely intended), I won't click it.
  3. Test your services with your own goddamn addresses. KTHXBAI
  4. [edit] some great comments in the r/webdev/ thread. Here's a couple of pro tips by krues8dr:
    • For testing addresses you do not need to verify, use anything@example.com. All example.com emails are discarded.
    • For testing addresses that you do need to verify, use any gmail account, and use username+ANYTHING@gmail.com. Gmail discards anything from the + onward, and will still route to your email account. Great for creating a couple dozen test accounts.

Finally, this post is really just a harmless rant. I love my Gmail address, I enjoy that little spark people show when I tell them to just 'swipe their finger on the keyboard twice', and would definitely choose the same one if I had to do it all over again.

Stick around, I might post interesting stuff some day.

Drop me a line at - well, you know.