[tablethnuser]

I stopped doing this recently because it makes password breaches devastating and online tracking easier. Now the only stable screen name I use is for my professional persona. Everything else I sign up with whatever random screen name is in my head at the time. Some of them I toss in the password manager, effectively making it also a username manager. Others, like HN, I don't store the username or password at all. Once the session dies for whatever reason I just make a new account. It's very freeing!

[llamathrowaway]

While I understand the privacy/tracking problems, why would password breach be a problem, if you are already using a password manager which would supposedly make it easy for you to use different passwords on different sites?

[aiyodev]

Not op but I think he means that he would get flooded with login attempt/password reset attempt emails from other sites when a username is leaked. Even though his password is likely safe, he would still have to log into each one of these services and update the password to be sure.

[edent]

If you use the same password with every account, sure - it's devastating.

I use a unique email address and password for each account, and 2FA where possible. I don't think the public username being consistent is too much of a risk.

That said, I do also have random non-associated accounts, just like you.

[hannasanarion]

How does reusing usernames put you at any more risk unless you are also reusing passwords?

[tablethnuser]

You will get automated emails alerting you to ppl trying to access your account even if they don't have the credentials. E.g. they got my PSN info from a breach and tried to use it to log into steam or battle.net. Sometimes they will even start the password reset flow but I have no idea why.

I rarely go through these flows myself so I don't know what they reveal or are capable of. I'd rather be anonymous

[WorldMaker]

Some of the reset flows leak email address information (or worse case entire email addresses) in the "We sent an email to you" descriptions, and some of them leak 2FA/MFA metadata such as 1) if 2FA is on for an account at all, 2) if 2FA is TOTP based or SMS based. (Depending on how the reset flow was coded to handle 2FA/MFA, since a lot of sites bolted in 2FA/MFA way after they built their password reset flows originally.)

A lot of the cases where a reset flow was initiated, the real goal seems to be to get email or SMS access. (IE, you may want to check your email provider for failed login attempts after a reset flow email.) Sometimes it is useful to check those flows yourself for such leaks and report it to site owners. (Though my experience so far, many of them seem nonplussed about it more often than not.)

Some of the reset flow emails at this point aren't even real, they are increasingly elaborate spear phishing schemes to get you to worry about your account security enough that you might follow a link directly from the email (to a phishing login) to "report that you did not request a reset" in some way or another.

Also, I'm sure some of them are initiated just for graffiti/broken-windows/anxiety-creation reasons. They want you to know they were trying to get your account.

ETA: Also, initiating password recovery flows can be a step in trying to social engineer access from a customer service rep. ("I started the recovery process, but never got the email." "Yes, I can see that you started the process, let me see what I can do...")