Ask HN: I have 176 logins/accounts. How many do you have?
Here is a screenshot of my Bitwarden: https://imgur.com/a/UdG7Inb
They include some really important things such as:
Health insurance G-Suite for work Bill.com (which I use to get paid) IRS.gov (which I use to get un-paid) UK Companies House Register Interactive Brokers My bank
Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.
I'm asking because of how insane auth has become. I know companies like OnePassword and Bitwarden are working on this and overall they do a great job. But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.
The only really good auth feature I've ever encountered has been Apple's "fill from Messages" feature as well as their Touch.
295 comments
[ 3.2 ms ] story [ 421 ms ] threadI don't think 176 is wildly unusual; it may be a bit higher than some people, but it's certainly not a Guinness World Record or anything like that.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
These are logins I collected over the last 15 years. A lot of them are for pages that don’t event exist anymore.
It’s funny you bring this up because I’ve thought about “cleaning up” 1password before. But all the extra accounts are not really in my way.
I never use oauth (like to create a new account / password for everything). All of my work-related accounts are in there from several employers. Lots of passwords for (probably dead) servers. I count 28 logins for salesforce.com from past employers, various sandboxes, and consulting gigs.
Me too. I have 672. Lots are for accounts I set up for nieces/nephews, etc., so those don’t really count. I bet 100 are stale as well I’ll clean them up one day. Lol.
1078 - many I of them I've used once
Some time ago I realized what a waste was to store so many secrets, even more knowing that for the most part I'll probably never need them again.
For the - proportionally few - important secrets, I use (and really like) Pass[1].
[0]: https://aprico.org
[1]: https://www.passwordstore.org/
They've tried to change the requirement, but it comes from vendor software. The vendor just waves around a middle finger and points to the contract.
I'm a bit ashamed that I never found the time to write down some docs, so I never really shared it, apart from a few friends and colleagues. On desktop, the web extension is quite convenient, it will autofill everything for you but the master password.
On iOS, I made a simple shortcut[0] where you share a url and - thanks to the os autofill - you just get your password copied into the clipboard, no input required at all. Also, on Android there is something similar using the PWA Web Share Target API.
And that's it, thanks for your kind words.
[0]: https://www.icloud.com/shortcuts/2dcb6680e6b3424d8708e673e1a...
That's funny, I've stopped caring about remembering most passwords and use the "forgot my password" loop as a login mechanism for rarely accessed sites/services. I also only enable 2FA on important ones like email, github, or banking. Basically my threat model includes my ability to lose things.
> Obviously, anything with OAuth is "bundled" into my Google account.
Maybe it's just me, but I try to never use centralized identity providers (outside of things that I really don't care about) and use separate e-mail auth whenever possible, across multiple e-mail accounts (some self-hosted). Same with considering separate Google accounts for phones, services like e-mail, a separate one for any content creation on YouTube and so on (ideally without any of them coming in contact with one another).
The idea is that one account getting closed/suspended shouldn't result in ALL of the linked stuff becoming inaccessible. I don't even do anything weird online, it's just that nowadays you hear lots of stories about people getting banned based on some heuristics by automated systems, with no ways of getting in contact with the support. Even something like a VPN might trip those systems up. Similar things have happened to me before (a SaaS provider didn't want to do business with me) for no good reason even without a VPN, but trying a year later with the same credit card didn't result in the other account being auto-suspended. How odd.
I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. That said, I largely believe that privacy online is mostly dead due to how much fingerprinting there is, though one can still protect themselves from automated systems acting weird, because nobody genuinely cares about that, at least at the scale where they're needed.
> I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. --- I do that. It's no trouble. I use various usernames to 'fuzz' tracking. Yes, anyone who really cared could track me by my IP address, but trackers are like whales sieving krill; they get so much, they don't bother to look very hard.
This is the most out-of-whack part in my humble opinion. Most of us have a tremendous amount of data and things like auth tokens tied up in Google, and Apple, and due to their scale and the fact that at least for GOOG it’s a “free service,” they’ve set the expectation up that “support” should be limited to searching an FAQ, and also that any account they ban must be some kind of troll account that shouldn’t be listened to. God forbid they give you a phone number where you could bother a person until your problem was solved.
Using ad-supported services for vital stuff is risky. But I know even Apple isn’t very helpful, even for those of their iCloud users who pay.
Exception are my work accounts. Here I am public anyway, so what gives. I think there still is a huge risk of industrial espionage, but anyway...
I keep wishing for something better.
A great start would be to reduce friction, by having some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.
This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.
I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.
If you take say OAuth/OIDC, the only thing the browser needs is the token. It doesn't have to be involved in the authentication at all really, it just needs a token it can send as part of the requests.
Of course this requires that the site uses OAuth/OIDC, but hopefully that's where things are headed.
Someone running a Discourse forum could very well run say Ory[1] to have their own OAuth2 authentication service, if they wanted. Hopefully things like this will get a bit tighter integrated than it currently is.
[1]: https://www.ory.sh/run-oauth2-server-open-source-api-securit...
This is my practice, but I take it a step further. My passwords are stored in a non-networked password manager on my phone, not on any other machine. So when I need to use a password, I can't copy/paste. I have to type it in by hand.
I want maximal disconnect between my password manager and anything that uses passwords. And I never use SSO stuff, because I don't want anybody involved in authentication aside from me and the thing I'm authenticating to.
My only complaint is around data portability. Exporting and importing passwords should be hassle-free.
If Google ever pulls the plug on you, you're in for a bad time.