Q. I tried to sign up at a site using the plus-sign trick to create a custom e-mail address, but the sign-in page rejected me. What’s going on there?

A. The reader who raised this issue was trying to use a tip I shared here last July — creating a bonus e-mail address by adding a plus sign and the characters of your choice to the username part of your e-mail address.

Google’s Gmail and such competitors as Microsoft’s Outlook.com allow this “sub-addressing” option. It’s a handy way to generate a new e-mail address–to register a second account at a site, to ease filtering messages from that company, or to track which firms sold your address to third parties–without changing any settings in your mail account or having to look anywhere for new messages but your usual inbox

This practice may also reduce the amount of spam you get, although at least some spammers know to strip out the plus sign and everything after it. And it’s not against the rules of the Internet, such as they exist: There’s an entire specification documenting the finer points of sub-addressing.

But sub-addressing won’t work if a site rejects a “plus-ed” e-mail address as invalid.

The two biggest sites to present this obstacle to my reader were TransUnion’s credit-report site and Experian’s ProtectMyID.com identity-theft-prevention site.

(Yes, Experian is the company that recently lost the records of 15 million T-Mobile customers to a hacker. The irony of that firm hindering customers from cloaking their e-mail addresses is duly noted.)

“TransUnion does not accept special characters in e-mail addresses,” a spokesman said. “Our system requires an e-mail format that is compatible with all e-mail services.”

But the core Internet specification for e-mail doesn’t ban plus signs in usernames or other special characters. This problem is only about TransUnion’s mail system; if it can’t handle usernames that aren’t just letters and numbers, the company might want to shop around for something more tolerant.

Experian had a more helpful response.

“We are aware of the issue and addressing it,” ProtectMyID PR manager Sandra Bernardo e-mailed Thursday. “These types of email addresses should be accepted by early next week.”

It’s unclear how many other sites have this hangup, although it’s not hard to find discussions in which people complain about it without naming the offending Web properties.

Facebook used to be among them but changed its practice “several years ago,” spokeswoman Melanie Ensign said Thursday. Plus-ed addresses are now fine to use when setting up an account there.

If, however, you try to use one e-mail address to open a second account (for your business, for your cat, for whatever), Facebook won’t be fooled. Instead, it will pop up a notice saying “Sorry, it looks like [your e-mail] belongs to an existing account.”

Tip: Two-step verification no longer requires cooking up batches of per-app passwords

One of the traditional hassles of setting up two-step verification — an effective but under-used security measure in which you verify any unusual log-ins with a one-time code sent to your phone — has been having to generate extra passwords for desktop apps like e-mail clients.

These long, randomized app passwords work well enough, but they also add multiple clicks to the process of setting up an account. And if they ever get compromised, two-step verification won’t stop an impostor from logging in as you. (Google presents app passwords as if they’re only good for one use, but I’ve been able to save them in multiple apps.)

Google now strongly encourages app developers to build in direct support for two-step verification, using a standard called OAuth2 that lets an application ask for a one-time code and then send it back to the service involved.

Apple’s Mail programs for iOS and OS X began supporting this option in the spring, and Microsoft’s Mail app for Windows 10 also lets you type in the verification code generated by Google’s Authenticator app or a third-party equivalent.

If your mail app allows this option — it should say so in its help file or release notes — I suggest you exercise it. It’s less work upfront and it’s more secure afterwards.

Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech question, e-mail Rob at rob@robpegoraro.com. Follow him on Twitter at twitter.com/robpegoraro.