[MorrisofOrange]

Op really cool idea. One issue and two questions: Issue:if someone got a password list, they clean it up by removing anything between the + and the @ so it dosent add too much protection Question1:if I get an email from someone addressed to a hashed address, could I easily figure out who I gave that email to? Question2: will you be porting to Firefox?

[svde]

Thanks for the feedback!

Regarding the issue I fully agree with the answer of luckylion.

Q1: Since it almost has to be used in combination with some sort of password manager, you could compare the hash with the service you signed up for. But that's a bit inconvenient. Since you receive a mail for each new signup, maybe set up a mail filter, that gathers all first mail to a hash in a dedicated folder. This way you can compare the sender with the first mail for specific hash when receiving new mails. This would have the benefit to have the data right inside your mail app of choice.

Q2: Just ported to firefox thanks to your suggestion: https://addons.mozilla.org/de/firefox/addon/mail-hash/

[luckylion]

Not OP but removing the hash will not really help, even if you've used the same password on multiple sites, because the attacker would need to know which hash was used to sign up for other services.

Compromised myname+leaked@example.org:mypassword won't help getting into my account at somewebsite that is registered to myname+secure@example.org:mypassword.

And, I suppose, it forces you to use a password manager, because there's no way you're remembering the email, even if you're using the same password ;)