I would really love to see an official "hide my email" extension from Apple. I use this feature so much that I go out of my way to use it since I don't use Safari and that's the only integration for HME.
Bonus is that I use a separate subdomain of my custom domain for disposable email addresses which means it never fails email checks (some don't like disposable/temporary email domains).
Doesn’t seem like a bonus. Your custom domain could just be blocked wholesale. Hide my email uses iCloud, not a separate domain. iCloud addresses probably won’t be blocked as that’s the default email given for hundred million plus Apple accounts.
Fastmail by default uses @fastmail.com addresses for masked email, same as their cheapest plan, so when I used it there was never anything blocked except the occasional site that only accepts gmail addresses (yep, they exist). Personally I prefer it that way for personal use, the custom domain sacrifices anonymity, but it might be nice for business users.
Fastmail is still like 0.1% of users. If you're a "growth & engagement" company you're probably better off banning that domain wholesale and as a bonus will get rid of tech-savvy ad/tracker blocker users without making any impact to your target market.
The advantage of iCloud is that it's a domain laymen use - those same laymen the "growth & engagement" scum wants to track and spam. They can't just ban it wholesale without alienating a large chunk of their target market (and a pretty lucrative one at that, since Apple hardware is expensive).
A while ago I ran into the first site that told me I couldn't use my fastmail masked email: remove.bg.
I don't know if they block every fastmail.com address, or if they somehow check if it's a masked email.
Lots of random weirdness for me trying to use mine. Most recent example was trying to checkout as a guest on Little Caesar’s app. Kept declining my Apple Pay transaction without telling me why — changed the email and it worked.
There’s only been a handful of times I’ve used it, maybe 12? At least a few of those times it wouldn’t even let me submit it saying it was an “invalid email”. Couldn’t even get past the validation.
Any idea if using a custom domain would have worked better here? I wouldn't be surprised if some places only accept email addresses from a small set of "known" providers
Companies blocking disposable email domains are doing it to prevent many users from using their service with a disposable email.
A custom domain that only I use specifically for disposable emails would look indistinguishable from any other custom domain out there, and nobody else would have used it for them to even be aware of its existence.
To block it pre-emptively, they’d have to either be omniscient or block every single custom domain in existence. The former I highly doubt is the case, the latter would generally do more harm than good to them.
I used to use an MX record that had mailinator handle nospam.jrock.us email addresses... but stopped doing it for anonymity reason. ("whois nospam.jrock.us" whoops there's my home address!)
The alternative I currently use is letting Gmail handle the spam. I used to be big into jon-foo@jrock.us for "foo" and that sort of thing, but every address ended up on every spam list anyway, and the filtering didn't increase the signal to noise ratio.
For true throwaways I just use mailinator. If I want to receive email from someone someday, I can just create another account. If they spam me, Google will filter it out. So it goes.
You use jon-foo-randomchars@example.com because then you can be sure where the address was leaked from and which companies are selling your email address, and to provide additional signal to the spam filter. If you use just jon-foo@, then that's guessable and you can't go off on them for selling your email address when they said they wouldn't.
I generated a “hide my email” forwarding address specifically for my HN profile last weekend.
Not via a chrome extension, but it’s pretty easy to generate one on any Mac (maybe even iOS?) in system settings. You can name the forwarding address to have different ones for different uses
Edit: re-read your comment and sounds like you’re already doing this manually, like me. I agree it’s a hassle and would love to see a more native UX that doesn’t involve opening system settings
Shameless plug: I've built the unofficial "Hide My Email" browser extension [0], available both in Firefox [1] and Chromium [2]. Tried to make it as frictionless as the Safari UX, which proved to be a challenge given the lack of native HME APIs.
Same for Apple Pay. Given that I mostly buy thing on my computer, and that I don't use Safari there, I basically never use it, even though I would really prefer it over entering/auto-filling my card number.
Apple’s Hide-my-email service is only useful to people who don’t have their own domain-name for email. I assume most of here on HM have a vanity dot-com or dot-me that we just point to GMail (or maybe Office 365 if you lean that way) - all those services (not to mention self-hosted) allow us to set arbitrary, catch-all, and disposable addresses (even the perpetually un-cool O365 supports it now too).
I’ll never use Apple’s Hide-my-email service until they let us use it with our own domain-names. It’s my email mailbox and my dodgy account registration, not Apple’s.
I wouldn’t say it’s only useful for people without vanity domain names - it also adds a level anonymity should the user database get leaked (IE: it’ll be a random HME account that will look like every other, vs your specific domain name)
Also FWIW you can use it with custom domains - I use it with fastmail and have since day one (their version of it isn’t as tightly integrated as Apple but they offer this service as well). Hope this helps!
To confirm, you're saying that Apple will generate something like "randomString@yourDomainName.com"? If so, how can I set that up? I don't see any relevant settings on my phone's iCloud settings page.
I'm honestly surprised to not only see this extension posted on HN, but for it to be upvoted so many times.
This is an old extension and I can tell you from personal experience, It doesn't work.
I do productivity and work stuff on my Macbook and have a Windows desktop machine for games and movies. I have tried for several years to figure out a solution that would let me use the iCloud keychain to store all u/p and let me use them across browsers and desktops.
I have tried every combination of uninstall/reinstall/change permissions etc with the extension on Windows 10 and it doesn't do anything.
> I have tried for several years to figure out a solution that would let me
Pro-tip: Don't use software by companies who explicitly hate cross-platform software when you need said software to work cross-platform.
For credentials/secrets, there are other tools that actually does a really decent job at being cross-platform (including iOS/Android). Two of these are 1Password and BitWarden (FOSS as well). I'm a happy user of the former, but lots of people (including many here on HN) sing praise about the latter.
Yeah It’s an old extension and doesn’t work great but it sort of works. I had to disable autocomplete in forms for it because it would break even apple’s login screen - couldn’t submit (some js error from the injected extension code). now i just use it from the button in the toolbar and that gives me the password
I can see that it says "Offered by: Apple Inc." but beyond that, how are people supposed to see it's "official"? As far as I can tell, there are no links from apple.com/* to this extension.
Apple has documentation about using icloud passwords from Windows[1]. I tried setting it up a while back but it doesn't support Firefox. If I recall correctly, you get links to the extensions from within the icloud app on windows.
Check out Firefox if you need a cross-platform browser that syncs passwords, etc. I use Windows, macOS, Linux, and iOS, and I've found Firefox to be my best option.
>I'm pretty sure the Firefox data is E2E encrypted. As in "If you forget your password, your data is gone."
The argument though is that it's not true E2E without the secure enclave. App data can be compromised in many ways. Apple goes to incredible lengths (including burning the root key which cannot be retrieved or reset from outside the enclave into the silicon during manufacturing with no way of them being able to tell what it is) to ensure a chain of trust from the point that anything physically enters the device.
True, but then they also added mandatory key escrow using server-side HSMs with no way to opt out – and these are by their nature much harder to audit than local secure enclaves.
In other words, with Firefox you trust the security of your device, whereas with Apple you trust the security of their entire ecosystem. In most cases, that's probably even a good thing, but I wouldn't exactly label one as strictly better than the other in all scenarios.
I don't think this actually opts you out of key escrow these days. It only replaces SMS-OTP with the recovery key, as far as I understand.
It's impossible to tell, though – Apple's platform security guide has been last updated in April 2022, which predates Advanced Data Protection. (Weirdly they do mention it in the document [1], though, so the date might also be incorrect and they might have added that information since I last looked a year ago.)
At least according to [2], it seems possible to gain access to the encrypted data using the iCloud account password and the passcode/login password of one other device on the iCloud account in any case.
>At least according to [2], it seems possible to gain access to the encrypted data using the iCloud account password and the passcode/login password of one other device on the iCloud account in any case.
But iCloud access is forced to 2FA with one of your signed in devices, which requires the local password (pin, touch id, or face id, all of which never leave the enclave) to approve. There's really no way to get something covered by ADP short of physical device access + a stolen/coerced pin number.
i blame the marketing. i dont want to talk about the historically unencrypted backups nulling so much of what people thought from the ads, it might awaken sneak
If already using Chrome's built-in password feature, is there a good reason to use this besides just wanting to use one FAANG ecosystem versus another?
Now I (using Safari) can use the upcoming iOS/iPadOS/macOS version’s shared password functions with my wife (who likes Chrome), all without a separate password manager.
We’ve used 1Password for ages, and I still like it a lot at work, but can probably get by with the built-in tools now.
Chrome doesn't have a TOTP authenticator, Keychain does. I don't use that feature in any password manager but some people really love it. Keychain will sync on any Windows/Mac Chromium based browser (so Edge, Brave, etc) plus Safari, so it's a little bit less locked in than Chrome but not as good as a standalone password manager.
For users with multiple Apple devices, this should enable the same password syncing and auto gen capabilities as using Safari. For me, that means a lot less hassle using Chrome as my dev browser (otherwise when I’m prompted to create a password, I switch to Safari to create/submit it, then copy from Keychain Access, which works but it’s a PITA).
"Download iCloud for Windows to use iCloud Passwords"... On Windows this requires 'iCloud for Windows'. A definite non-starter for me. There is no reason to have an extension like this call out to locally installed software for a cloud service like password management. I'm sure it can be done in JS/TS/Wasm within the context of an extension (doesn't have same-origin issue).
AFAIK in web TS/JS/Wasm you cannot mark memory regions as in-memory only (mlock on Linux). This means that the secrets in JavaScript can easily be leaked if the kernel decides to page V8 process memory (unencrypted) to disk.
This risk is unsuitable for an application that needs to handle sensitive credentials like an encryption key for all of a person’s passwords — or the vault itself.
Also, this is why I do not trust LastPass — they don’t run a native module, so how do I know that my vault isn’t just being stored on disk?
I don't know the internals, so I'm guessing, but for password sync between iCloud devices Apple might require a hardware protected key (like in a TPM). In which case it does make sense that this requires a native process running on the host. At least until that can be exposed in a meaningful way through a Web API. I doubt it's as simple as querying the iCloud servers for the plaintext password.
Huh, interesting, so this only works on Chrome on Windows and macOS?
I wonder if that's due to a technical limitation (maybe it uses an OS-native hardware secret storage mechanism that Linux does not offer), or just because Apple refuses to acknowledge the existence of Linux on the desktop.
I attempted many times to use this extension under Windows. It was one of the most frustrating software installation experiences I've ever had. I never got it to work. Note that it has a 2 star review.
Perhaps Apple developers don't know how to write a Windows program but the macOS version will be usable.
Same. Luckily (recently?) iOS added support to using Chrome’s keychain to fill in passwords. It seems you still have to open the chrome app from time to time to sync passwords, however.
Also, iOS 17 adds using your third-party password manager for using (signing challenges with) passkeys.
The only issue I can find is that you can't select two or more third-party password/passkey filling apps, unless one is "iCloud Passwords & Keychain". So if your setup is 1Password for passwords and iOS for most of your Passkeys, you can do that, but hopefully you use the same third-party passkey and password implementation.
Apple/Safari cannot seem to distinguish my various AWS Cognito identities from one another. Never stopped to look into it, but Firefox and Chrome seem to have no problem understanding the difference between xxx.awscognito.com and yyy.awscognito.com.
Which is to say, I doubt I'll be using it in Chrome.
I purposely don't use iCloud Keychain because it's not portable to Linux, Android, and Windows. Instead, Bitwarden (setup correctly) and the Chrome browser extension. On iOS, Bitwarden can act as a total replacement for Keychain. Works on Android too.
I've been using this with Microsoft Edge on Windows, this is so very useful. It does have autofill on the browser, but for some reason it keeps asking for password if you want to directly open it to add a password or look up something.
Cool. I'll probably use Chrome more now. I'd use Firefox full time with an extension like this.
--
Yes and: The Apple Passkey future can't get here soon enough.
Meanwhile, I wish Keychain allowed memo fields. Some place to record all those stupid personal security questions.
(1Password has memo fields. I switched to iCloud once I started using Apple Pay, because of integration, ubiquity.)
Also: I (officially) asked my credit union about using U2F with my account(s). No plans. This crap needs to be legislated, or some other forcing function.
I've been meaning to migrate off of Lastpass, I think this would put Keychain in the mix of options. I haven't used keychain in years, is it still pretty clunky?
Keychain is clunky, but Passwords is better. Functionally Passwords isn’t as robust as LastPass (or 1Password) but their handling of their last security breach proved they’re not deserving of my business and getting off their service was a high priority for me.
iOS 17 and macOS Sonoma should have better 3rd party browser integration, certainly Chrome for now… hopefully Firefox in the near future.
Keychain Access.app hasn't changed in years. But if you're just interested in filling out passwords, then you can use the Passwords settings pane in system settings and/or the password settings screen in Safari.
There is no application and doing anything from looking for a login detail to editing a password is on a par, interface wise, as editing a registry key on windows.
Chrome used to have native support for Keychain back in the day when it was still growing. Then suddenly they no longer needed that feature. Glad to see this is coming back in some capacity.
I guess this is Apple's way to add Passkeys support into Chrome as well, for macOS users using Chrome, which is very common, or macOS users with an Android device.
The chrome extension is new for macOS? To my understanding, this is meant for Windows users. There is no point in having this when running macOS when iCloud Passwords is built-in.
It’s not built-in in a way that works with Chrome/Brave/Edge well, this fixes that. Requires beta though. Basically they updated this old windows bridge extension for Chrome to work on macOS.
