Ask HN: I have 176 logins/accounts. How many do you have?

185 points by bojangleslover ↗ HN
Here is a screenshot of my Bitwarden: https://imgur.com/a/UdG7Inb

They include some really important things such as:

Health insurance G-Suite for work Bill.com (which I use to get paid) IRS.gov (which I use to get un-paid) UK Companies House Register Interactive Brokers My bank

Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.

I'm asking because of how insane auth has become. I know companies like OnePassword and Bitwarden are working on this and overall they do a great job. But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.

The only really good auth feature I've ever encountered has been Apple's "fill from Messages" feature as well as their Touch.

295 comments

[ 3.2 ms ] story [ 421 ms ] thread
I have 93 personal accounts in my Bitwarden, plus 13 that I have categorized as "deprecated".

I don't think 176 is wildly unusual; it may be a bit higher than some people, but it's certainly not a Guinness World Record or anything like that.

The elites don’t want you to know this but the accounts on the Internet are free you can take them home I have 458 accounts.
[flagged]
Can you please not post unsubstantive comments or political flamebait (or other flamebait) to HN? You've already done it repeatedly with this account. It's not what this site is for, and destroys what it is for.

If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.

Every time you "log-in", you're increasing your carbon footprint :-)
Most of the logins are sequestered in the password manager, for which I get a moderately decent subsidy from the government.
According to Bitwarden, 479 accounts
Hehe exactly the same number I have in KeePassXC, 479. I'm pretty sure many of these services have shut down years ago.
800 logins in my Bitwarden.

These are logins I collected over the last 15 years. A lot of them are for pages that don’t event exist anymore.

182 logins here, although most of them aren't used frequently.
515 - thank you Jesus for password managers
Interesting question! I just checked and, wow, I have 922 accounts in 1password. (From 10+ years of use.)

It’s funny you bring this up because I’ve thought about “cleaning up” 1password before. But all the extra accounts are not really in my way.

I never use oauth (like to create a new account / password for everything). All of my work-related accounts are in there from several employers. Lots of passwords for (probably dead) servers. I count 28 logins for salesforce.com from past employers, various sandboxes, and consulting gigs.

The archive feature is nice for cleanup. It doesn’t delete, just hides from lists and searches. I’ve un-archived many items before.
> I never use oauth (like to create a new account / password for everything).

Me too. I have 672. Lots are for accounts I set up for nieces/nephews, etc., so those don’t really count. I bet 100 are stale as well I’ll clean them up one day. Lol.

Slightly below 2000 last time I looked. Most sites don't support deleting content or accounts. In best case they just "anonymize" you. So it just keeps growing...
1,226 items in my 1Password database. Very happy customer.
So if anything with OAuth is tied to Google, how would you survive losing your Google account?
For this reason I stopped using Google / OAuth a couple of years back!
I currently have 344 accounts in my password manager.
939 accounts in 1PW
I really don't know how many accounts I have, for most of them I don't even store passwords, I just generate them in a deterministic way with a little password generator I made[0].

Some time ago I realized what a waste was to store so many secrets, even more knowing that for the most part I'll probably never need them again.

For the - proportionally few - important secrets, I use (and really like) Pass[1].

[0]: https://aprico.org

[1]: https://www.passwordstore.org/

Aprico is a neat idea, but as soon as you face a website that has stupid requirements like a character limit, specific banned characters (like symbols), or other it has no way of adjusting for that and you have to start tracking exceptions. It also has a 1-1 limit of website, unless you come up with service naming heuristic as well. Regardless of these limitations (which I realize are edge cases and very much not the point of the service), it's a nice, simple idea :)
Don’t forget the even stupider variant, the allow-list of like 5 symbols. “Tell me you failed infosec 101 without telling me you failed infosec 101.”
There's a local government website that requires eight or fewer characters, and the eighth character has to be a digit.

They've tried to change the requirement, but it comes from vendor software. The vendor just waves around a middle finger and points to the contract.

Anectodal from a few years of use, surprisingly those stupid requirements are almost a thing of the past nowadays. But yes, some edge cases still require some bits of muscle memory, which may be your thing, or not.

I'm a bit ashamed that I never found the time to write down some docs, so I never really shared it, apart from a few friends and colleagues. On desktop, the web extension is quite convenient, it will autofill everything for you but the master password.

On iOS, I made a simple shortcut[0] where you share a url and - thanks to the os autofill - you just get your password copied into the clipboard, no input required at all. Also, on Android there is something similar using the PWA Web Share Target API.

And that's it, thanks for your kind words.

[0]: https://www.icloud.com/shortcuts/2dcb6680e6b3424d8708e673e1a...

410 according to 1 Password. I do periodic cleanups though and I should probably do one soon so the number of actual, in use, logins is probably lower.
There are 92 entries in my credentials archive. I try to avoid creating them if at all possible, and I never use OAuth.
1300 as per 1Password.. and must be 500+ in my old Firefox account that I didn't bother exporting.
> But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.

That's funny, I've stopped caring about remembering most passwords and use the "forgot my password" loop as a login mechanism for rarely accessed sites/services. I also only enable 2FA on important ones like email, github, or banking. Basically my threat model includes my ability to lose things.

This works until you want to change your email domain (or provider in some cases)
Around 300 at this point, sans any deleted ones. I don't think I know a single password anymore, since they're all randomized and separate for each site.

> Obviously, anything with OAuth is "bundled" into my Google account.

Maybe it's just me, but I try to never use centralized identity providers (outside of things that I really don't care about) and use separate e-mail auth whenever possible, across multiple e-mail accounts (some self-hosted). Same with considering separate Google accounts for phones, services like e-mail, a separate one for any content creation on YouTube and so on (ideally without any of them coming in contact with one another).

The idea is that one account getting closed/suspended shouldn't result in ALL of the linked stuff becoming inaccessible. I don't even do anything weird online, it's just that nowadays you hear lots of stories about people getting banned based on some heuristics by automated systems, with no ways of getting in contact with the support. Even something like a VPN might trip those systems up. Similar things have happened to me before (a SaaS provider didn't want to do business with me) for no good reason even without a VPN, but trying a year later with the same credit card didn't result in the other account being auto-suspended. How odd.

I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. That said, I largely believe that privacy online is mostly dead due to how much fingerprinting there is, though one can still protect themselves from automated systems acting weird, because nobody genuinely cares about that, at least at the scale where they're needed.

I have about 150 accounts, though some of them are logins for vendors I dealt with once, a decade or more ago.

> I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. --- I do that. It's no trouble. I use various usernames to 'fuzz' tracking. Yes, anyone who really cared could track me by my IP address, but trackers are like whales sieving krill; they get so much, they don't bother to look very hard.

> people getting banned … with no ways of getting in contact with the support

This is the most out-of-whack part in my humble opinion. Most of us have a tremendous amount of data and things like auth tokens tied up in Google, and Apple, and due to their scale and the fact that at least for GOOG it’s a “free service,” they’ve set the expectation up that “support” should be limited to searching an FAQ, and also that any account they ban must be some kind of troll account that shouldn’t be listened to. God forbid they give you a phone number where you could bother a person until your problem was solved.

Using ad-supported services for vital stuff is risky. But I know even Apple isn’t very helpful, even for those of their iCloud users who pay.

Google cornered themselves: I’d never give my credit card to Google. I switched to Apple precisely because I have my emails in Google. Even if both had non-support, it’s better to at least not have to report credit card fraud against the company who also has my emails…
at least they now let download all datas when they ban an account(source: two weeks ago they accused me of being a bot, still waiting for a response to my appeal but meanwhile i've been able to download my stuff)
I still think this is a bad idea. I never use oauth logins and believe the convenience isn't worth the dependence and security risk at all.

Exception are my work accounts. Here I am public anyway, so what gives. I think there still is a huge risk of industrial espionage, but anyway...

Agreed, enough horror stories have kept me away from using Google as OAuth. The only value I see in it is as part of SSO for employee accounts. Employee leaves and revoke access to everything.
Not even banned, one of the games I play just put out an announcement that Twitter login support might be dropped soon because of Twitter's API changes, so you better associate your account with email soon.
Similar, around 290 personal accounts. In addition comes the logins and such for various internal services like Home Assistant, PiHole etc. Total over 400 in my password manager.

I keep wishing for something better.

A great start would be to reduce friction, by having some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.

> some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.

This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.

I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.

Well, the alternatives you mention are all prone to keyloggers or similar.

If you take say OAuth/OIDC, the only thing the browser needs is the token. It doesn't have to be involved in the authentication at all really, it just needs a token it can send as part of the requests.

Of course this requires that the site uses OAuth/OIDC, but hopefully that's where things are headed.

I don't disagree.. but I stopped really using oauth when realizing that I could lose access to all those services if the whim of an algorithm closes my (oauth) account.
Right, but using OAuth doesn't mean using Google, Microsoft or Facebook for everything. It's common cause it's convenient, but has issues like you say.

Someone running a Discourse forum could very well run say Ory[1] to have their own OAuth2 authentication service, if they wanted. Hopefully things like this will get a bit tighter integrated than it currently is.

[1]: https://www.ory.sh/run-oauth2-server-open-source-api-securit...

> I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager

This is my practice, but I take it a step further. My passwords are stored in a non-networked password manager on my phone, not on any other machine. So when I need to use a password, I can't copy/paste. I have to type it in by hand.

I want maximal disconnect between my password manager and anything that uses passwords. And I never use SSO stuff, because I don't want anybody involved in authentication aside from me and the thing I'm authenticating to.

Quite the contrary, having the browser be the password manager is the way to go, and it works well today.

My only complaint is around data portability. Exporting and importing passwords should be hassle-free.

> Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.

If Google ever pulls the plug on you, you're in for a bad time.

I guess despite how cool it is to hate Facebook in 2023 there’s a really solid case to be made that it’s a smarter “OAuth” choice than Google, since with Google, if you fell back to resetting your password for another site to get in after a Google account shutdown, the email on the account would be the same Gmail account that you’re locked out of!
3,995 by 1Password as of May 21, 2023.