As a result, I store very few accounts overall and checking out as "guest" hasn't been a problem of any sort. There's like 10 critical things that I feel the need to store the password on and they all use a hardware key for 2fa anyways.

For the two accounts that I absolutely can't lose access to, I just used the "Correct Horse Battery Staple" method and came up with two very long and secure passwords that I have no trouble remembering.

If it’s truly a throwaway I just use an email address like shitsinthewoods@mailinator.com, grab what I need, and go on with my life. If I ever happen to need to login again, I’ll just send a password reset to the mailinator address and once again carry on with life.

especially if they use some sort of cheap cloud service to send email/sms, then it can take 15-20 minutes to receive password reset link

have you not encountered cases like these?

If someone wants to take over my last.fm account that I haven't used in 3 years, sure go for it.

The important accounts get a randomly generated password stored in my password manager. And the really important accounts only have half the password saved, I manually fill in the other half.

- Access to any of your accounts could make impersonation easier. You might not be the one who suffers from whatever they do. Or if they can assemble enough PII, you might unexpectedly have a line of credit taken out on your name.

- Many websites use some form of federated login, or a crossover kinda situation where you have a username/password login that is linked to eg a Google account. Access to the username/password account could open you up to an attack on the juicy targets.

Personally, I'd rather none of my accounts are easily compromised, but that's a pipe dream - it's not up to us to secure the services we use. So best thing to do is just use a good password.

It's easy these days to use a good password, though I acknowledge still tedious/impossible to update all of your services.

This one's easy. Don't use federated logins for anything. They're a bad idea.

That way if my bitwarden gets compromised, attacker still doesn't have my gmail, bank, etc. logins

It adds a little bit of security while being mega simple

Simple and genius. Why am I managing all these extra passwords?!

I often order something and need to login and retrieve the order info for a return or warranty information. Or if I’m ordering an item or similar item and want to refer to prior purchase. And some ordering website absolutely do give good order tracking for Guest checkouts. We have no covered entry, so like to know when our packages will arrive if it is raining.

> Obviously, anything with OAuth is "bundled" into my Google account.

Maybe it's just me, but I try to never use centralized identity providers (outside of things that I really don't care about) and use separate e-mail auth whenever possible, across multiple e-mail accounts (some self-hosted). Same with considering separate Google accounts for phones, services like e-mail, a separate one for any content creation on YouTube and so on (ideally without any of them coming in contact with one another).

The idea is that one account getting closed/suspended shouldn't result in ALL of the linked stuff becoming inaccessible. I don't even do anything weird online, it's just that nowadays you hear lots of stories about people getting banned based on some heuristics by automated systems, with no ways of getting in contact with the support. Even something like a VPN might trip those systems up. Similar things have happened to me before (a SaaS provider didn't want to do business with me) for no good reason even without a VPN, but trying a year later with the same credit card didn't result in the other account being auto-suspended. How odd.

I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. That said, I largely believe that privacy online is mostly dead due to how much fingerprinting there is, though one can still protect themselves from automated systems acting weird, because nobody genuinely cares about that, at least at the scale where they're needed.

This is the most out-of-whack part in my humble opinion. Most of us have a tremendous amount of data and things like auth tokens tied up in Google, and Apple, and due to their scale and the fact that at least for GOOG it’s a “free service,” they’ve set the expectation up that “support” should be limited to searching an FAQ, and also that any account they ban must be some kind of troll account that shouldn’t be listened to. God forbid they give you a phone number where you could bother a person until your problem was solved.

Using ad-supported services for vital stuff is risky. But I know even Apple isn’t very helpful, even for those of their iCloud users who pay.

Exception are my work accounts. Here I am public anyway, so what gives. I think there still is a huge risk of industrial espionage, but anyway...

I keep wishing for something better.

A great start would be to reduce friction, by having some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.

This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.

I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.

This is my practice, but I take it a step further. My passwords are stored in a non-networked password manager on my phone, not on any other machine. So when I need to use a password, I can't copy/paste. I have to type it in by hand.

I want maximal disconnect between my password manager and anything that uses passwords. And I never use SSO stuff, because I don't want anybody involved in authentication aside from me and the thing I'm authenticating to.

If you take say OAuth/OIDC, the only thing the browser needs is the token. It doesn't have to be involved in the authentication at all really, it just needs a token it can send as part of the requests.

Of course this requires that the site uses OAuth/OIDC, but hopefully that's where things are headed.

Someone running a Discourse forum could very well run say Ory[1] to have their own OAuth2 authentication service, if they wanted. Hopefully things like this will get a bit tighter integrated than it currently is.

[1]: https://www.ory.sh/run-oauth2-server-open-source-api-securit...

My only complaint is around data portability. Exporting and importing passwords should be hassle-free.

> I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. --- I do that. It's no trouble. I use various usernames to 'fuzz' tracking. Yes, anyone who really cared could track me by my IP address, but trackers are like whales sieving krill; they get so much, they don't bother to look very hard.

I have 35 in my password manager. I purge the ones I don't need every 2 or 3 months. I even gave away GOG and Steam accounts to friends after years of not playing games.

Sometimes I have to send a threatening email to delete some accounts. Currently there's about 2 I'm waiting for an answer.

It's gotten worse lately: people just don't delete your account anymore :D. Because of that, I use "hide my email" and put fake personal data pretty much everywhere now. When I REALLY don't care or am just checking the service, I use a burner email.

I honestly wish I had close to zero. I really hate SaaS and I really hate websites that require a login for stupid stuff (like... a barbershop that needs login/password for scheduling haircuts? fuck off).

Being able to schedule appointments online is one of the big wins of modern life imo: it beats waiting around on hold and laboriously explaining to the receptionist how to spell my last name.

I made an optometrist appointment online recently. Their online calendar showed which dates and times were available, so I picked the closest one which was still a few weeks out. I got an email immediately after and a text message confirmation the day before. When I went in at the correct day and time, the receptionist told me I wasn't anywhere in their system and they had no idea there was even an online appointment form. (Yes it was the correct business and they only had one location.)

My guess is that they recently paid for a website which included online scheduling and integration but someone forgot to flip the switch that sent the appointment to their scheduler.

This is not that bad in the beginning (though certainly not good!), the hopeful customer won't be promised anything before the appointment is actually made. If the presentation is sufficiently clear about the appointment hunt not really being over before confirmation it's not that bad. But even when started in a rather benign form, these things can quickly turn nasty, by skimping on the back office and/or "streamlining" the UI into a presentation that isn't clear at all about nothing being committed yet. And I'd also imagine that unscrupulous competition might be tempted to fake-register with the service in some zero-cost tier, effectively black-holing all appointment request to let the resulting Google/yelp/whatever zero star reviews ruin their competition. Which points us to the deepest tier of darkness, the appointment service knowingly claiming to have made an appointment when they haven't, betting on more of the fallout hitting the small business than themselves and using that to coerce them into buying the service (essentially a darker form of what yelp was famous for).

Why the hell no?

At worst "an anonymous form" can ask for your mobile number only to remind you about the appointment (if it's not today for example). At best it should be really optional. In both cases there is absolutely zero need for both a login and a password.

I have a local pizza joint working like that - you just punch in what you need, your number with SMS code confirmation and you are in, with your address/es and pizza coins or whatever. And they have your number to contact you if anything is wrong with the order/delivery.

Another one just asks for a number and call back to confirm with an operator.

Why the hell I do need a login, a password and email|Facebook|whatever for a pizza delivery?

i can make appointments for my country's embassy by picking a time slot and giving them my email address. confirmation then comes by email. no login and password needed.

I'd like to do this there, too. I sorta already do: I use "hide my password" for their website and delete it after the appointment.

In this specific case I was talking about it's even worse: I already have to click a link in the email (or answer an SMS) to confirm the appointment. It's ludicrous.

I 100% prefer to schedule appointments over the phone. That's never gone wrong for me, where scheduling online has gone very wrong quite a lot.

Do you remember when it was a random layout virtual keyboard? Good times.

No, they're either going to reuse their passwords or use post-its or excel.

> It almost makes shaming people for re-using passwords look like you're out of touch.

Shaming regular people for reusing passwords _is_ out of touch.

- Inherent MFA that is faster and more secure than SMS codes, or app notifications.

- One pin code and/or biometric to remember rather than hundreds.

The answer isn't to add another layer of management to passwords, but to eliminate passwords as a method of authentication.

It's why we always laugh at anyone who says to "not reuse passwords".

Whether it is safe or not, people can argue, but more practical? It definitely is.

Sooner or later someone could take control of one of the accounts you don't care about and use in a way you don't expect to gain control of things you do care about.

An example would really drive your point home. Can you provide one that people would deem "dangerous"?

Edit: ccooffee just mentioned in the thread that you could be de-anonymized by reusing the same password. Is this what you mean? There's a spectrum of comfort with privacy so maybe that's the source of the disagreement between whether it is important to have unique passwords or not for accounts that don't contain financial/SSN/medical/etc information

You might not care about what's contained in a certain online account, but there could be utility in taking control.

I'm now firmly in the "everything gets a unique password" camp. There are 4 important passwords I type myself, but everything else is in a password vault.

https://news.ycombinator.com/item?id=36025420

Sorry about the (lack of) order. Looks like it's randomized? (feature)

[1] https://www.theregister.com/2016/07/24/nist_says_sms_no_good...

Why can't I set up an Authenticator again?

SMS might not be the most secure, but it's probably better than 1FA, and absolutely everyone can use it. Enter your number, receive text, boom.

Controversial opinion: If you are given all these options and you cannot/refuse to use them, you shouldn't manage your insurrance trough the web. Either you are wholly computer-illiterate, deeply misinformed or you are not educated enough to use it safely.

Of course, the main issue is that companies only give SMS 2FA as an option, or only one other, like the App method, which forces users without phones to fall back to SMS. Worst part is that especially financial institutions are guilty of this.

Source: I work at a place that is a natural target for this kind of thing.

Not just the hassle of re-connecting the accounts, but even knowing which ones were inextricably linked to the phone number to which I no longer had access.

(I think I could have requested the number personally, but I wanted to make a clean break, and having a new phone number meant I was much more difficult to contact for any legacy issues I no longer cared about - double-edged sword)

  $ gource … ~/.password-store | ffmpeg … password-store.mp4
  $ publish password-store.mp4
  QmeN62Ewuv93epe27VmniXHUFJQLirFfEo5eM1sKdxd2m5

Don't have numbers for my work machine upstairs, but on my phone here's how recently they were all used:

1 Day: 1 2 Days: 1 14 Days: 3 30 Days: 3 60 Days: 8 90 Days: 6

So, mostly cruft. I have a lot of stuff still done via Google auth, despite migrating all my domains and email to Fastmail couple of years back (which has been flawless since). Also, just checked, and I only have 27 entries in Authy.

You might as well ask me how many grains there are in my salt shaker.

Interesting academic question, but seeing so many people climb on their soap box is wild.

It’s funny you bring this up because I’ve thought about “cleaning up” 1password before. But all the extra accounts are not really in my way.

I never use oauth (like to create a new account / password for everything). All of my work-related accounts are in there from several employers. Lots of passwords for (probably dead) servers. I count 28 logins for salesforce.com from past employers, various sandboxes, and consulting gigs.

Me too. I have 672. Lots are for accounts I set up for nieces/nephews, etc., so those don’t really count. I bet 100 are stale as well I’ll clean them up one day. Lol.

They will not innovate themselves out of existence.

Still using 1Password 7 and its self-hosted vaults with the 1Password app denied all network access.

This is good reminder that I should login to all my old Google accounts to keep them from being deleted since Google is finally making moves to erase accounts unused for over 2 years. (especially given how it's always getting more difficult to create new G accounts)

    $ pass | wc -l
    321

`pass` is a command line password manager: https://www.passwordstore.org/

  % bw list items | jq length
  494

Pass using git as its storage backend doesn't make a whole ton of sense for me. It's convenient enough for syncing if you use a public git host, but it's got a lot of unnecessary power. More than a few times I had to merge by hand when I had changes from both my laptop and my phone.

I use vaultwarden these days and it's pretty great. I wrote a (gross, ugly, but that's fine because I used it exactly once) thing to migrate from pass to bitwarden/vaultwarden, https://github.com/philsnow/pass-to-bitwarden

edit: forgot to mention, if you don't care about using Bitwarden the company for hosting, they have a somewhat generous free-forever tier https://bitwarden.com/pricing/

    $ pass |wc -l
     176

  $ gopass list --flat | wc --lines
  575

  $ pass|wc -l
      1252

(I wish 1Password let you order credentials by "last used". This way I could start deleting from the oldest last used accounts.)

I wish I had less accounts because each account means some random website holding my data hostage. It's too common that a website doesn't allow you to delete an account. Sometimes you can find a support email and request a deletion. Other times, all I can do is try to replace my data with junk data. Although, even that isn't possible sometimes!

(Rocketbook won't let you change your email, for example. Or ChatGPT saves your phone number after you delete your account.)

I'm closing in on 5000 credentials in 1Password, personally, but my collected vaults/database is 15+ years old now and definitely has [problematic duplicates](https://github.com/1Password/solutions/issues/1).

After a lengthy-enough sample of semi-formal self-observation, I'm averaging:

- signing in/authenticating 10 times/day (including weekends,) and most of those are repeats with the same service. - Almost 10 new accounts/credentials per week. (Granted, I'm pretty darn indiscriminate about doing so while exploring.)

Without tangenting too far, if anyone has any advice about how to constructively normalize password management (even just as an abstract) for end users - whatever that may mean - I'd love to hear it.

As for maintenance, I don't think it's much, and I'm not even using the browser integration (again, for security). It's a few simple clicks to create a new entry, and the default auto-fill (username, tab, password, enter) works on most of the websites.

I'm currently shopping around for a new password manager but that's proving to be a frustrating search. Bitwarden scrambled my master password so that I lost access, not just once but twice (password was saved in another password manager, so definitely correct). Lastpass has 'issues'. Dashlane web app only gives me an error message. 1Password feels clunky but may be what I end up going with. Needs to be usable & shareable by tech-averse spouse & children as well, so hosting my own isn't really an option.

Some time ago I realized what a waste was to store so many secrets, even more knowing that for the most part I'll probably never need them again.

For the - proportionally few - important secrets, I use (and really like) Pass[1].

[0]: https://aprico.org

[1]: https://www.passwordstore.org/

I'm a bit ashamed that I never found the time to write down some docs, so I never really shared it, apart from a few friends and colleagues. On desktop, the web extension is quite convenient, it will autofill everything for you but the master password.

On iOS, I made a simple shortcut[0] where you share a url and - thanks to the os autofill - you just get your password copied into the clipboard, no input required at all. Also, on Android there is something similar using the PWA Web Share Target API.

And that's it, thanks for your kind words.

[0]: https://www.icloud.com/shortcuts/2dcb6680e6b3424d8708e673e1a...

They've tried to change the requirement, but it comes from vendor software. The vendor just waves around a middle finger and points to the contract.

That's funny, I've stopped caring about remembering most passwords and use the "forgot my password" loop as a login mechanism for rarely accessed sites/services. I also only enable 2FA on important ones like email, github, or banking. Basically my threat model includes my ability to lose things.

I'd have more but even 1Password doesn't always catch when I'm creating an account login, or resetting a password, etc. I do the work to input some of them, but not always (I get lazy).

I do try a lot of tools, and I have a lot of personal and professional GMail OATH logins too, which -- fortunately -- 1Password now tracks.

I don't use OAuth, except for two services - which I could switch to user/pass if I really wanted.

45+ 2FA on Authy

2 yubikeys

It gets... pretty confusing, especially as I've not checked the gopass repo, where I keep _other_ stuff, too...

I don't use most of them. A third of them are for my spam email address. I'm starting to notice Bitwarden taking its sweet time decrypting them all, though.

Despite the huge number of accounts, logging into anything is seamless across any of my devices. And access to my vaultwarden is securely protected. Password managers are great. Really looking forward to vaultwarden eventually storing Passkeys as well, and using passkeys to login instead.

Or maybe I've misunderstood. Are they behind different master passwords or something?

This primarily only protects against leaked passwords from the site being hacked. Not from vaultwarden being hacked. But if my vaultwarden gets hacked I’m done anyway. They will had to have used multiple factors to get into the vaultwarden anyway.

Quick edit: I’ve also got all the codes in an actual Authenticator app on my phone (so I can get into vaultwarden if I have to) But they are additionally in vaultwarden for convenience. When vaultwarden autofills, it copies the code to my clipboard and I can seamlessly pass the second factor check. Either way, access to the codes needs physical access to a device I’m already on. In practice I’m only ever logged into vaultwarden on my phone and my PC, although I could login remotely if I had to. As an additional safety measure, when my vault is logged into some monitoring software sends me a push notification through an external service.

The password is the "thing you know" and the password manager file is the "thing you have". So if someone compromised your email account knowing your password, they still need to access your password manager file to get access to the 2FA codes.

So it's still a second factor in that sense.

> Obviously, anything with OAuth is "bundled" into my Google account.

I too used to live dangerously. But then I took an arrow... sorry, wrong one... then I read too many stories about "Google locked my account and now my life is ruined" and stopped using Google auth with anything but the least important sites on which I wouldn't mind losing the login.

It's incredibly insane but I manage it by adding a namespace postfix so it's easier to identify which when autocompleting login forms. For example, "Google (Personal), "Google (UMich)" etc.

The password manager mostly serves the role of autofilling stuff in browsers.

This is an accumulation since ~2010 starting with 1Password, then LastPass, then Bitwarden.

[edit: 1339 items have a password but only 1180 of those also have a username]

I'm running around 838 accounts because why not? I have a unique password for each login since five years ago. I went from LastPass to 1Password and finally settled on self-hosted Bitwarden(Vaultwarden) a year ago.

I guess most of it is likely work related. I cycle through many projects. Each of them have many accounts tied to them. Eg: DNS, domain, hosting, etc etc. Not to mention all the business systems like HR.

307 includes stuff like security questions as well though, so the answer to "What is your mother's maiden name?" tends to be something along the lines of "f+2Tng+DO?X).`W/7*5IQ_"

I try to avoid SSO, only exceptions are a single forum, which had broken registration, and my uni. Why? 1. SSO is a single point of failure, which you (unlike BW) cannot audit yourself; 2. You have to trust it's not gonna sell your data - perfect graph of services one person has is of course very juicy information; 3. They the make management of one's accounts slightly harder, as you cannot easily know how many you have by looking into your BW; 4. You are locked into your SSO service.

For MFA, I use fido keys (yubikeys), which I have to highly, highly recommend. Not only are they miles ahead of anything else, but they are also so easy and quick to use. I have a little one permanently in my usb port and to log in you just touch it. I'd recommend this if you are MFA-fatigued. Obviously, I always take the best form of 2FA available regardless.

All passwords in BW are long random alphanumeric and I have a XKCD-style password for that and something similar for FDE/logins into computers.

BTW, getting BW was the best decision I could have made, not really for security (although that's obviously the point) but fkr convinience. No more silly variants on passwords and no more guessing emails for reset.

My oldest working account is probably 1996's ICQ.

For my frequently accessed accounts, I also prefer Apple Keychain to login faster across the devices.

I don't think 176 is wildly unusual; it may be a bit higher than some people, but it's certainly not a Guinness World Record or anything like that.

Annoyingly they're all for forums I was part of as a teenager 15-20 years ago with a dead email address referencing pink monkeys.

I just never get round to cleaning it up.

746 unique passwords, ~600 unique usernames, ~600 unique email addresses.

Given my use of password managers goes back to pre 2000 I'm willing to bet a sizeable percentage of the sites don't even exist any more

This is because I rotate accounts frequently (well, besides here).

It was hard to find it in the new version of 1password

If Google ever pulls the plug on you, you're in for a bad time.

Not counting all the sites for which I use the "Log in with Google/Facebook/etc". Many of these credentials I haven't used for years.

I don't want to tell how I store them, but for these 5, I could even memorize them.

Edit. That is only my work 1pass. I have a personal instance too with a few hundred.

Crazy isn't it. Not everything is a login, and not everything is a password. There are keys in there for instance, and some credit cards. The majority are logins though. Crazy, isn't it.

1078 - many I of them I've used once

Loads of old crap though. Will clean it out next time I'm migrating passwd managers. Probably 50-ish that actually matter

These are logins I collected over the last 15 years. A lot of them are for pages that don’t event exist anymore.

find .password-store -type f | wc -l says 1248.

Need some cleanup I supposed...

Wallet based login and account management onchain.

Perhaps a poll would with ranges would have been better.

0-100

101-300

301-800

801-1200

1200+

I’m honestly surprised I’m not over 750.

I'm surprised to see so many people with low hundreds.