HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Ask HN: I have 176 logins/accounts. How many do you have?

185 points·by bojangleslover·3 yıl önce·293 comments
Here is a screenshot of my Bitwarden: https://imgur.com/a/UdG7Inb

They include some really important things such as:

Health insurance G-Suite for work Bill.com (which I use to get paid) IRS.gov (which I use to get un-paid) UK Companies House Register Interactive Brokers My bank

Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.

I'm asking because of how insane auth has become. I know companies like OnePassword and Bitwarden are working on this and overall they do a great job. But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.

The only really good auth feature I've ever encountered has been Apple's "fill from Messages" feature as well as their Touch.

299 comments

akira2501·3 yıl önce
If I need to login to your site less than once or twice a year, "Forgot my password" is my password manager. Personally, I feel that the utility of me working to keep and maintain that information in a database for high availability is essentially zero.

As a result, I store very few accounts overall and checking out as "guest" hasn't been a problem of any sort. There's like 10 critical things that I feel the need to store the password on and they all use a hardware key for 2fa anyways.

For the two accounts that I absolutely can't lose access to, I just used the "Correct Horse Battery Staple" method and came up with two very long and secure passwords that I have no trouble remembering.
Narushia·3 yıl önce
I don’t think there’s really any “maintaining” to be done when I sign in to a new service that I won’t be using often. Complete the sign-in page → Bitwarden asks me if I want to save the credentials → click yes. That’s it. I can auto-fill that the next time I log in.
a2128·3 yıl önce
For websites I really don't care about, I just get a disposable email on dropmail, and copy paste the email address to both the email and password fields to save time. Surprisingly, some websites check this and won't allow you to set your password to your email, but removing the last character or adding a 1 at the end works around it.
powvans·3 yıl önce
Why even go to that much trouble?

If it’s truly a throwaway I just use an email address like [email protected], grab what I need, and go on with my life. If I ever happen to need to login again, I’ll just send a password reset to the mailinator address and once again carry on with life.
JohnFen·3 yıl önce
There are a lot of services that disallow email addresses to services like mailinator. That's why I stopped using them, and instead, I have a special "garbage" address on my mailserver.
stevage·3 yıl önce
Problem I find is being sure I "really don't care about it". Sometimes sites become more useful than I expect, etc etc.
ChatGTP·3 yıl önce
https://10minutemail.com/
slt2021·3 yıl önce
problem is that sometimes these websites takes forever to send password recovery email.

especially if they use some sort of cheap cloud service to send email/sms, then it can take 15-20 minutes to receive password reset link

have you not encountered cases like these?
hammyhavoc·3 yıl önce
The problem usually isn't that it's a cheap cloud service, the problem is usually that their cron task is hourly, or more commonly, their scheduled tasks depend on a non-cached page of their website being hit (how people generally mismanage WordPress), but traffic is of course inconsistent.
tapland·3 yıl önce
It happens. There's always a compromise to make depending on the hassle to reset the password.
plugin-baby·3 yıl önce
GoDaddy is one example.
cheeze·3 yıl önce
I just use a crappy password. It's been leaked before. I don't care.

If someone wants to take over my last.fm account that I haven't used in 3 years, sure go for it.

The important accounts get a randomly generated password stored in my password manager. And the really important accounts only have half the password saved, I manually fill in the other half.
Cannabat·3 yıl önce
I guess that's kinda fine, but there are at least two reasons to not do this:

- Access to any of your accounts could make impersonation easier. You might not be the one who suffers from whatever they do. Or if they can assemble enough PII, you might unexpectedly have a line of credit taken out on your name.

- Many websites use some form of federated login, or a crossover kinda situation where you have a username/password login that is linked to eg a Google account. Access to the username/password account could open you up to an attack on the juicy targets.

Personally, I'd rather none of my accounts are easily compromised, but that's a pipe dream - it's not up to us to secure the services we use. So best thing to do is just use a good password.

It's easy these days to use a good password, though I acknowledge still tedious/impossible to update all of your services.
JohnFen·3 yıl önce
> Many websites use some form of federated login

This one's easy. Don't use federated logins for anything. They're a bad idea.
massysett·3 yıl önce
Why save half the password, versus not saving any of it at all? Is this because the password is very long and you just want to save keystrokes?
WitCanStain·3 yıl önce
It's a lot easier to remember the second half if you know the first half (if it's a password and not a passcode)
cheeze·3 yıl önce
Half of the password is randomly generated, the other half is something I add that I can derive easily (think last 5 letters of the website reversed, etc.)

That way if my bitwarden gets compromised, attacker still doesn't have my gmail, bank, etc. logins

It adds a little bit of security while being mega simple
schainks·3 yıl önce
Rofl my reaction to this was the same as when a friend complained about his todo system complications and I told him “why not email yourself”.

Simple and genius. Why am I managing all these extra passwords?!
nytesky·3 yıl önce
Checking out with guest is okay, as long as you are judicious about not deleting emails.

I often order something and need to login and retrieve the order info for a return or warranty information. Or if I’m ordering an item or similar item and want to refer to prior purchase. And some ordering website absolutely do give good order tracking for Guest checkouts. We have no covered entry, so like to know when our packages will arrive if it is raining.
jay_kyburz·3 yıl önce
Yeah, I'm the same. Google and a few others. The rest all just get the new password that Firefox suggests and I don't even pay attention to what it is.
rhn_mk1·3 yıl önce
A password manager is not just a way to manage passwords. It's also a way to manage who holds your personal data, so you can GDPR request them to stop.
kdklol·3 yıl önce
This. It's so valuable just to know how exposed you may be. I know a guy who missed a data leak and later got one of his accounts stolen. I think his Steam? It was way back in the day... For him, it was a cheap reminder to take passwords hygiene seriously. For someone else, it could have been a someone-took-out-a-line-of-credit-in-my-name reminder.
courseofaction·3 yıl önce
If I haven't used your website in the last 15 minutes and you have unconventional password requirements, I'll be logging in via email :)
KronisLV·3 yıl önce
Around 300 at this point, sans any deleted ones. I don't think I know a single password anymore, since they're all randomized and separate for each site.

> Obviously, anything with OAuth is "bundled" into my Google account.

Maybe it's just me, but I try to never use centralized identity providers (outside of things that I really don't care about) and use separate e-mail auth whenever possible, across multiple e-mail accounts (some self-hosted). Same with considering separate Google accounts for phones, services like e-mail, a separate one for any content creation on YouTube and so on (ideally without any of them coming in contact with one another).

The idea is that one account getting closed/suspended shouldn't result in ALL of the linked stuff becoming inaccessible. I don't even do anything weird online, it's just that nowadays you hear lots of stories about people getting banned based on some heuristics by automated systems, with no ways of getting in contact with the support. Even something like a VPN might trip those systems up. Similar things have happened to me before (a SaaS provider didn't want to do business with me) for no good reason even without a VPN, but trying a year later with the same credit card didn't result in the other account being auto-suspended. How odd.

I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. That said, I largely believe that privacy online is mostly dead due to how much fingerprinting there is, though one can still protect themselves from automated systems acting weird, because nobody genuinely cares about that, at least at the scale where they're needed.
xp84·3 yıl önce
> people getting banned … with no ways of getting in contact with the support

This is the most out-of-whack part in my humble opinion. Most of us have a tremendous amount of data and things like auth tokens tied up in Google, and Apple, and due to their scale and the fact that at least for GOOG it’s a “free service,” they’ve set the expectation up that “support” should be limited to searching an FAQ, and also that any account they ban must be some kind of troll account that shouldn’t be listened to. God forbid they give you a phone number where you could bother a person until your problem was solved.

Using ad-supported services for vital stuff is risky. But I know even Apple isn’t very helpful, even for those of their iCloud users who pay.
eastbound·3 yıl önce
Google cornered themselves: I’d never give my credit card to Google. I switched to Apple precisely because I have my emails in Google. Even if both had non-support, it’s better to at least not have to report credit card fraud against the company who also has my emails…
raxxorraxor·3 yıl önce
I still think this is a bad idea. I never use oauth logins and believe the convenience isn't worth the dependence and security risk at all.

Exception are my work accounts. Here I am public anyway, so what gives. I think there still is a huge risk of industrial espionage, but anyway...
str3wer·3 yıl önce
at least they now let download all datas when they ban an account(source: two weeks ago they accused me of being a bot, still waiting for a response to my appeal but meanwhile i've been able to download my stuff)
CamelRocketFish·3 yıl önce
Agreed, enough horror stories have kept me away from using Google as OAuth. The only value I see in it is as part of SSO for employee accounts. Employee leaves and revoke access to everything.
magicalhippo·3 yıl önce
Similar, around 290 personal accounts. In addition comes the logins and such for various internal services like Home Assistant, PiHole etc. Total over 400 in my password manager.

I keep wishing for something better.

A great start would be to reduce friction, by having some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.
philsnow·3 yıl önce
> some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.

This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.

I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.
JohnFen·3 yıl önce
> I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager

This is my practice, but I take it a step further. My passwords are stored in a non-networked password manager on my phone, not on any other machine. So when I need to use a password, I can't copy/paste. I have to type it in by hand.

I want maximal disconnect between my password manager and anything that uses passwords. And I never use SSO stuff, because I don't want anybody involved in authentication aside from me and the thing I'm authenticating to.
magicalhippo·3 yıl önce
Well, the alternatives you mention are all prone to keyloggers or similar.

If you take say OAuth/OIDC, the only thing the browser needs is the token. It doesn't have to be involved in the authentication at all really, it just needs a token it can send as part of the requests.

Of course this requires that the site uses OAuth/OIDC, but hopefully that's where things are headed.
philsnow·3 yıl önce
I don't disagree.. but I stopped really using oauth when realizing that I could lose access to all those services if the whim of an algorithm closes my (oauth) account.
magicalhippo·3 yıl önce
Right, but using OAuth doesn't mean using Google, Microsoft or Facebook for everything. It's common cause it's convenient, but has issues like you say.

Someone running a Discourse forum could very well run say Ory[1] to have their own OAuth2 authentication service, if they wanted. Hopefully things like this will get a bit tighter integrated than it currently is.

[1]: https://www.ory.sh/run-oauth2-server-open-source-api-securit...
atq2119·3 yıl önce
Quite the contrary, having the browser be the password manager is the way to go, and it works well today.

My only complaint is around data portability. Exporting and importing passwords should be hassle-free.
Froedlich·3 yıl önce
I have about 150 accounts, though some of them are logins for vendors I dealt with once, a decade or more ago.

> I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. --- I do that. It's no trouble. I use various usernames to 'fuzz' tracking. Yes, anyone who really cared could track me by my IP address, but trackers are like whales sieving krill; they get so much, they don't bother to look very hard.
ThatPlayer·3 yıl önce
Not even banned, one of the games I play just put out an announcement that Twitter login support might be dropped soon because of Twitter's API changes, so you better associate your account with email soon.
bin_bash·3 yıl önce
176 sounded so low to me I wasn’t sure if you were talking about for all sites or just HN alts.
whstl·3 yıl önce
I'm probably the one with the least.

I have 35 in my password manager. I purge the ones I don't need every 2 or 3 months. I even gave away GOG and Steam accounts to friends after years of not playing games.

Sometimes I have to send a threatening email to delete some accounts. Currently there's about 2 I'm waiting for an answer.

It's gotten worse lately: people just don't delete your account anymore :D. Because of that, I use "hide my email" and put fake personal data pretty much everywhere now. When I REALLY don't care or am just checking the service, I use a burner email.

I honestly wish I had close to zero. I really hate SaaS and I really hate websites that require a login for stupid stuff (like... a barbershop that needs login/password for scheduling haircuts? fuck off).
lexandstuff·3 yıl önce
I'm confused about what you're fucking off. Would you prefer to schedule haircuts via a call or an anonymous online form?

Being able to schedule appointments online is one of the big wins of modern life imo: it beats waiting around on hold and laboriously explaining to the receptionist how to spell my last name.
bityard·3 yıl önce
Restaurants get the online reservation thing right, usually. With other local small businesses, it's very hit or miss and you are better off calling unless you know for sure their online system actually works.

I made an optometrist appointment online recently. Their online calendar showed which dates and times were available, so I picked the closest one which was still a few weeks out. I got an email immediately after and a text message confirmation the day before. When I went in at the correct day and time, the receptionist told me I wasn't anywhere in their system and they had no idea there was even an online appointment form. (Yes it was the correct business and they only had one location.)

My guess is that they recently paid for a website which included online scheduling and integration but someone forgot to flip the switch that sent the appointment to their scheduler.
usrusr·3 yıl önce
I've seen that sales funnel (selling to the business, not to you) from the other side, integrating some "request appointment" UI where your click supposedly sets some back-office in motion that asks for an appointment with the business that might in fact never had contact with the intermediary before. Then later the sales squad will drop in arguing that all those appointments are revenue that they might lose if they don't become a customer to the full version of appointment tool.

This is not that bad in the beginning (though certainly not good!), the hopeful customer won't be promised anything before the appointment is actually made. If the presentation is sufficiently clear about the appointment hunt not really being over before confirmation it's not that bad. But even when started in a rather benign form, these things can quickly turn nasty, by skimping on the back office and/or "streamlining" the UI into a presentation that isn't clear at all about nothing being committed yet. And I'd also imagine that unscrupulous competition might be tempted to fake-register with the service in some zero-cost tier, effectively black-holing all appointment request to let the resulting Google/yelp/whatever zero star reviews ruin their competition. Which points us to the deepest tier of darkness, the appointment service knowingly claiming to have made an appointment when they haven't, betting on more of the fallout hitting the small business than themselves and using that to coerce them into buying the service (essentially a darker form of what yelp was famous for).
justsomehnguy·3 yıl önce
> Would you prefer to schedule haircuts via a call or an anonymous online form?

Why the hell no?

At worst "an anonymous form" can ask for your mobile number only to remind you about the appointment (if it's not today for example). At best it should be really optional. In both cases there is absolutely zero need for both a login and a password.

I have a local pizza joint working like that - you just punch in what you need, your number with SMS code confirmation and you are in, with your address/es and pizza coins or whatever. And they have your number to contact you if anything is wrong with the order/delivery.

Another one just asks for a number and call back to confirm with an operator.

Why the hell I do need a login, a password and email|Facebook|whatever for a pizza delivery?
JoBrad·3 yıl önce
I want to pick a particular barber at my shop. They also need to know that I’m not a prankster who books a bunch of time slots with no intention of showing. Providing a mobile number (which needs to be confirmed) is a good way to accomplish both. I don’t get any spam from my shop, and would definitely complain if I did. But right now it’s a system that works really well for both of us.
em-bee·3 yıl önce
exactly.

i can make appointments for my country's embassy by picking a time slot and giving them my email address. confirmation then comes by email. no login and password needed.
whstl·3 yıl önce
Neither. I can already schedule in other barbershops, make government appointments, book hotels, purchase food, order guitars online, and several other things, all online and without a login/password. Not anonymous, just doesn't involve an account and a password.

I'd like to do this there, too. I sorta already do: I use "hide my password" for their website and delete it after the appointment.
rhn_mk1·3 yıl önce
There are things that work anonymously (or at least pseudonymously) already: pizza delivery or hotel booking. It's not like the data presented at a random registration form has to reflect your government ID. Skipping the login step just saves the hassle, and preserves the win of being able to do things online.
whstl·3 yıl önce
Exactly. Purchasing with a guest login works fine for most shops here.

In this specific case I was talking about it's even worse: I already have to click a link in the email (or answer an SMS) to confirm the appointment. It's ludicrous.
JohnFen·3 yıl önce
> Would you prefer to schedule haircuts via a call or an anonymous online form?

I 100% prefer to schedule appointments over the phone. That's never gone wrong for me, where scheduling online has gone very wrong quite a lot.
reaperducer·3 yıl önce
a barbershop that needs login/password for scheduling haircuts? fuck off

If it takes reservations, it's not a barber shop. It's a beauty salon.
TeMPOraL·3 yıl önce
That may have been true 10 years ago. Today, it just means the shop is using some popular booking SaaS to get exposure, as a good chunk of would-be customers don't even use web search engines anymore for this - they go to the usual booking site and type in "barbershop" or whatever, and pick from the list there.
ptmcc·3 yıl önce
Well excuse me for wanting to know that my barber has availability before I walk in
BLKNSLVR·3 yıl önce
Telling "Beauty Salons" to fuck off has been the correct answer for 20+ years. The reasons may change (actually, they only get added to), but the reply stays the same.
[deleted]·3 yıl önce
[deleted]·3 yıl önce
bombcar·3 yıl önce
The elites don’t want you to know this but the accounts on the Internet are free you can take them home I have 458 accounts.
belter·3 yıl önce
Every time you "log-in", you're increasing your carbon footprint :-)
bombcar·3 yıl önce
Most of the logins are sequestered in the password manager, for which I get a moderately decent subsidy from the government.
Onavo·3 yıl önce
(1)
morkalork·3 yıl önce
Shit, just looking at the replies, there's a solid case for password managers. No normal human is going to memorize 100+ unique passwords meeting various complexity requirements. It almost makes shaming people for re-using passwords look like you're out of touch. Of course they're following bad practices, how could they not be?!
tzhenghao·3 yıl önce
This. And password managers can do more by constantly checking latest account breaches like on https://haveibeenpwned.com then flagging it to their customers to rotate their credentials.
daneel_w·3 yıl önce
There's a case for that even if you just have 5 important accounts. If the account matters, give it a long random password.
amanzi·3 yıl önce
There's an unfortunate correlation between how long and complex my password is and how I often I have to manually type it in. Microsoft are really good in this regard, and you almost never have to type in your password once you have the Authenticator set up. Google isn't too bad, once you're logged in, but you still sometimes have to type out your password in a situation where having access to your password manager is not convenient. But I find Apple is the worst - I often need to type in my password, and often in situations where I don't have access to my password manager.
trogdor·3 yıl önce
IIRC, Treasury.gov makes you enter your password by clicking buttons on a virtual, on-screen keyboard. Ugh.
nytesky·3 yıl önce
They finally removed the virtual keyboard.

Do you remember when it was a random layout virtual keyboard? Good times.
pishpash·3 yıl önce
Since when? As far as I know they still have the virtual keyboard and it was never random. They used to have a random seed physical card.
loeg·3 yıl önce
May 2 of this year, they posted a notification that the virtual keyboard would be removed the week of May 7 "to improve the customer experience."
mlfreeman·3 yıl önce
They removed it approximately two weeks ago.
trogdor·3 yıl önce
Thank god.
alex_lav·3 yıl önce
> . No normal human is going to memorize 100+ unique passwords meeting various complexity requirements.

No, they're either going to reuse their passwords or use post-its or excel.

> It almost makes shaming people for re-using passwords look like you're out of touch.

Shaming regular people for reusing passwords _is_ out of touch.
johngalt·3 yıl önce
It's a solid case for FIDO2 keys.

- Inherent MFA that is faster and more secure than SMS codes, or app notifications.

- One pin code and/or biometric to remember rather than hundreds.

The answer isn't to add another layer of management to passwords, but to eliminate passwords as a method of authentication.
kdklol·3 yıl önce
This. This is the only thing that actually solves all warts of authentication nowadays. Companies really should switch to a webauthn-first mindset. The technology has been here for over a decade, it's not new. There is a standrad and a library for every language, it's not hard. FIDO2 keys start at 20 bucks and every android phone can act as one, it's not expensive. They are literally the only thing that can actually protect you from phishing and they generate new login creds per domain, protecting your privacy. Companies, support webauthn!
JohnFen·3 yıl önce
I find those keys immensely inconvenient, though. I used them for a couple of years, but finally gave up and went back to long, randomly-generated passwords.
Prickle·3 yıl önce
Yep. Password managers are quickly becoming a required utility for modern services. And oh how painful it would be to lose that. I memorize maybe 10~20 passwords. And I sometimes mix them up in my head as I type them too.

It's why we always laugh at anyone who says to "not reuse passwords".
pugworthy·3 yıl önce
Or a solid case for alternatives to standard username / password login concepts.
causality0·3 yıl önce
I take a pragmatic approach: the dozen logins in my life that actually matter get strong unique passwords, and everything I don't give a shit about gets the same password.
whstl·3 yıl önce
I don't know if I agree. A password manager is more pragmatic even for just a handful of accounts.

Whether it is safe or not, people can argue, but more practical? It definitely is.
lwhi·3 yıl önce
It's not pragmatic, it's dangerous.

Sooner or later someone could take control of one of the accounts you don't care about and use in a way you don't expect to gain control of things you do care about.
tppiotrowski·3 yıl önce
> use in a way you don't expect to gain control of things you do care about

An example would really drive your point home. Can you provide one that people would deem "dangerous"?

Edit: ccooffee just mentioned in the thread that you could be de-anonymized by reusing the same password. Is this what you mean? There's a spectrum of comfort with privacy so maybe that's the source of the disagreement between whether it is important to have unique passwords or not for accounts that don't contain financial/SSN/medical/etc information
lwhi·3 yıl önce
Socially engineered hacks are also a danger.

You might not care about what's contained in a certain online account, but there could be utility in taking control.
Dalewyn·3 yıl önce
Beyond my accounts related to my important email addresses, Steam, finances and medical which can all be counted on one or two hands, I really couldn't give a damn about the other accounts or their password security.

Strong and unique passwords for the important accounts, simple and reused passwords for the rest. You're welcome to hack into my accounts on Hacker News, Reddit, Discord, LINE, various IRC networks, various forums, etc. I don't care; there's nothing important in there besides sentimental value.
ccooffee·3 yıl önce
On its own, the information in those private accounts is probably not interesting. I used to use the "few sites get a unique and secret password, but most reuse the same 10 character one" ruleset, but I became worried about how much data could be aggregated about me. By re-using the same password, I felt like I gave a simple test that attackers could use to definitively confirm "user XYZ on site ABC is the same as ccooffee".

I'm now firmly in the "everything gets a unique password" camp. There are 4 important passwords I type myself, but everything else is in a password vault.
Misdicorl·3 yıl önce
I take the same approach with the extra precaution that those logins also get a separate email address (with a different pseudo-strong password). Makes it really easy to share nonsense logins with my wife/family.
dyingkneepad·3 yıl önce
That's how I lost my Twitter account. Using a PW manager only for the non-important accounts is a definitive improvement at a very low cost.
Tempest1981·3 yıl önce
I created a HN poll: (Underutilized feature)

https://news.ycombinator.com/item?id=36025420

Sorry about the (lack of) order. Looks like it's randomized? (feature)
crooked-v·3 yıl önce
The most infuriating auth-related thing for me is the companies that insist on doing phone-based 2FA. I'm inextricably linked to my specific phone number at this point in a way that previously was only an issue with my email address.
willtemperley·3 yıl önce
This. SMS 2FA has been considered insecure by NIST since 2016 [1] and it's a major pain when travelling and swapping sim cards.

[1] https://www.theregister.com/2016/07/24/nist_says_sms_no_good...
projektfu·3 yıl önce
This is a beautiful catch-22 because when you can't use your SIM is also when they decide your location is too different and you must be reauthorized. The same for anti-fraud text messages, which are nice when you're home but useless when you're out of country.

Why can't I set up an Authenticator again?
Biganon·3 yıl önce
I was thinking this with my health insurance website (which uses SMS 2FA), and I realized the problem is you can't expect your average Joe to know how to manage a TOTP 2FA correctly.

SMS might not be the most secure, but it's probably better than 1FA, and absolutely everyone can use it. Enter your number, receive text, boom.
kdklol·3 yıl önce
There are other options though Couldn't a health insurence company make an app? Or do SSO trough google and such? Webauthn is really easy!

Controversial opinion: If you are given all these options and you cannot/refuse to use them, you shouldn't manage your insurrance trough the web. Either you are wholly computer-illiterate, deeply misinformed or you are not educated enough to use it safely.

Of course, the main issue is that companies only give SMS 2FA as an option, or only one other, like the App method, which forces users without phones to fall back to SMS. Worst part is that especially financial institutions are guilty of this.
tornato7·3 yıl önce
The best solution is to create a Google Voice account and use that number for 2FA
rtsil·3 yıl önce
Until Google decides to retire Google Voice...
NoZebra120vClip·3 yıl önce
Many MFA implementations will detect and disallow the use of VoIP numbers... for security reasons.
twodave·3 yıl önce
Yep, and this is because sim-jacking is actually less profitable than just finding records of people’s _past_ phone numbers and signing up for a voip service that supports sms for that number. And many of the voip providers just don’t do any kind of fraud prevention.

Source: I work at a place that is a natural target for this kind of thing.
BLKNSLVR·3 yıl önce
I had that issue when I left a (15+ year) job with a company that owned the phone number I'd been using for both work and personal. Justification being that this was waaaaay back when mobiles were just becoming ubiquitous; Nokia 3310 days.

Not just the hassle of re-connecting the accounts, but even knowing which ones were inextricably linked to the phone number to which I no longer had access.

(I think I could have requested the number personally, but I wanted to make a clean break, and having a new phone number meant I was much more difficult to contact for any legacy issues I no longer cared about - double-edged sword)
aendruk·3 yıl önce
With a version controlled password store you can do silly things like this:

  $ gource … ~/.password-store | ffmpeg … password-store.mp4
  $ publish password-store.mp4
  QmeN62Ewuv93epe27VmniXHUFJQLirFfEo5eM1sKdxd2m5
https://cloudflare-ipfs.com/ipfs/QmeN62Ewuv93epe27VmniXHUFJQ...
mock-possum·3 yıl önce
well that's fun
thom·3 yıl önce
940 in 1Password (I feel a lightweight that I haven't hit 4 figures yet). Stopped fighting a while back and signed up to the cloud version instead of just having Dropbox backups, partly to help onboard my family better. Haven't regretted it yet, obviously will do if/when I find out all my stuff has been hacked but blah.

Don't have numbers for my work machine upstairs, but on my phone here's how recently they were all used:

1 Day: 1 2 Days: 1 14 Days: 3 30 Days: 3 60 Days: 8 90 Days: 6

So, mostly cruft. I have a lot of stuff still done via Google auth, despite migrating all my domains and email to Fastmail couple of years back (which has been flawless since). Also, just checked, and I only have 27 entries in Authy.
johnorourke·3 yıl önce
Why keep score? If you have a password manager, the number is irrelevant. But: KeePass 2052. Cheating because I work for an agency... so we have hundreds of clients' passwords to store and selectively distribute to the team.
psychphysic·3 yıl önce
Agreed. This is utterly baffling question.

You might as well ask me how many grains there are in my salt shaker.

Interesting academic question, but seeing so many people climb on their soap box is wild.
93po·3 yıl önce
i don't find it to be a baffling question. i think the unspoken part of this is "this is a really stupid system, someone ought to do something about it". i hope in the next 20 years that password managers are a thing of the past, but for good privacy-preserving reasons.
pishpash·3 yıl önce
Wasn't the passkey article just front page the other day?
aed·3 yıl önce
Interesting question! I just checked and, wow, I have 922 accounts in 1password. (From 10+ years of use.)

It’s funny you bring this up because I’ve thought about “cleaning up” 1password before. But all the extra accounts are not really in my way.

I never use oauth (like to create a new account / password for everything). All of my work-related accounts are in there from several employers. Lots of passwords for (probably dead) servers. I count 28 logins for salesforce.com from past employers, various sandboxes, and consulting gigs.
kylehotchkiss·3 yıl önce
The archive feature is nice for cleanup. It doesn’t delete, just hides from lists and searches. I’ve un-archived many items before.
ryan29·3 yıl önce
> I never use oauth (like to create a new account / password for everything).

Me too. I have 672. Lots are for accounts I set up for nieces/nephews, etc., so those don’t really count. I bet 100 are stale as well I’ll clean them up one day. Lol.
aaronax·3 yıl önce
I would not expect any true innovation to come from companies such as 1Password or Bitwarden. They make money off authentication being so craapy that an entire class of applications has sprung up around it.

They will not innovate themselves out of existence.
varenc·3 yıl önce
1259 on 1Password! https://dl.dropboxusercontent.com/s/4ug9qyk67z9pkml/Screen%2...

Still using 1Password 7 and its self-hosted vaults with the 1Password app denied all network access.

This is good reminder that I should login to all my old Google accounts to keep them from being deleted since Google is finally making moves to erase accounts unused for over 2 years. (especially given how it's always getting more difficult to create new G accounts)
nickjj·3 yıl önce


    $ pass | wc -l
    321
17 of those are encrypted notes (API tokens, license keys, etc.).

`pass` is a command line password manager: https://www.passwordstore.org/
philsnow·3 yıl önce


  % bw list items | jq length
  494
I used pass for years, but eventually quit when needing to rekey the gpg stuff for the fifth time and it being a pain to provision another key for passforios. It looks like there's some work to let pass use age for crypto instead of gpg, but I don't know if that's been ported to passforios or any of the other pass-compatible mobile apps.

Pass using git as its storage backend doesn't make a whole ton of sense for me. It's convenient enough for syncing if you use a public git host, but it's got a lot of unnecessary power. More than a few times I had to merge by hand when I had changes from both my laptop and my phone.

I use vaultwarden these days and it's pretty great. I wrote a (gross, ugly, but that's fine because I used it exactly once) thing to migrate from pass to bitwarden/vaultwarden, https://github.com/philsnow/pass-to-bitwarden

edit: forgot to mention, if you don't care about using Bitwarden the company for hosting, they have a somewhat generous free-forever tier https://bitwarden.com/pricing/
zikduruqe·3 yıl önce


    $ pass |wc -l
     176
Was hoping to be the only cool kid posting pass counts... :)
aendruk·3 yıl önce


  $ gopass list --flat | wc --lines
  575
sirodoht·3 yıl önce
I love pass!

  $ pass|wc -l
      1252
dot5xdev·3 yıl önce
270 login credentials work+personal. I don't use 'sign in with Google'. I regularly try (not always successfully) to go through my 1Password vault and delete accounts that I haven't used in a while.

(I wish 1Password let you order credentials by "last used". This way I could start deleting from the oldest last used accounts.)

I wish I had less accounts because each account means some random website holding my data hostage. It's too common that a website doesn't allow you to delete an account. Sometimes you can find a support email and request a deletion. Other times, all I can do is try to replace my data with junk data. Although, even that isn't possible sometimes!

(Rocketbook won't let you change your email, for example. Or ChatGPT saves your phone number after you delete your account.)
davidblue·3 yıl önce
Definitely a relevant topic, I'd say, especially if the discussion help any stragglers over the "edge" into finally using a password manager. (As far as I'm concerned, it is absolutely a requisite for all digital citizens in 2023.) ((And kinda has been for 10+ years but ya know.))

I'm closing in on 5000 credentials in 1Password, personally, but my collected vaults/database is 15+ years old now and definitely has [problematic duplicates](https://github.com/1Password/solutions/issues/1).

After a lengthy-enough sample of semi-formal self-observation, I'm averaging:

- signing in/authenticating 10 times/day (including weekends,) and most of those are repeats with the same service. - Almost 10 new accounts/credentials per week. (Granted, I'm pretty darn indiscriminate about doing so while exploring.)

Without tangenting too far, if anyone has any advice about how to constructively normalize password management (even just as an abstract) for end users - whatever that may mean - I'd love to hear it.
insomniacity·3 yıl önce
So if anything with OAuth is tied to Google, how would you survive losing your Google account?
firecall·3 yıl önce
For this reason I stopped using Google / OAuth a couple of years back!
sashk·3 yıl önce
I have almost 1900 items in my password manager: this includes logins, software licenses, notes, etc. But this does not include items in vault Attic, where I move items which are no longer exist (dead sites, deleted accounts, old ids, etc).
npteljes·3 yıl önce
I have 573 entries in my KeePassXC. I have several very important passwords that are not in there, like my work password and of course the keepass safe password. Auth is indeed insane. Because of this insane power, I don't trust any ID provider with my logins, not Google, nor any other third party, so I log in with a password everywhere.

As for maintenance, I don't think it's much, and I'm not even using the browser integration (again, for security). It's a few simple clicks to create a new entry, and the default auto-fill (username, tab, password, enter) works on most of the websites.
altacc·3 yıl önce
About 500, after a clear up.

I'm currently shopping around for a new password manager but that's proving to be a frustrating search. Bitwarden scrambled my master password so that I lost access, not just once but twice (password was saved in another password manager, so definitely correct). Lastpass has 'issues'. Dashlane web app only gives me an error message. 1Password feels clunky but may be what I end up going with. Needs to be usable & shareable by tech-averse spouse & children as well, so hosting my own isn't really an option.
2-718-281-828·3 yıl önce
look no further ... pwsafe.org
achairapart·3 yıl önce
I really don't know how many accounts I have, for most of them I don't even store passwords, I just generate them in a deterministic way with a little password generator I made[0].

Some time ago I realized what a waste was to store so many secrets, even more knowing that for the most part I'll probably never need them again.

For the - proportionally few - important secrets, I use (and really like) Pass[1].

[0]: https://aprico.org

[1]: https://www.passwordstore.org/
gnrlst·3 yıl önce
Aprico is a neat idea, but as soon as you face a website that has stupid requirements like a character limit, specific banned characters (like symbols), or other it has no way of adjusting for that and you have to start tracking exceptions. It also has a 1-1 limit of website, unless you come up with service naming heuristic as well. Regardless of these limitations (which I realize are edge cases and very much not the point of the service), it's a nice, simple idea :)
achairapart·3 yıl önce
Anectodal from a few years of use, surprisingly those stupid requirements are almost a thing of the past nowadays. But yes, some edge cases still require some bits of muscle memory, which may be your thing, or not.

I'm a bit ashamed that I never found the time to write down some docs, so I never really shared it, apart from a few friends and colleagues. On desktop, the web extension is quite convenient, it will autofill everything for you but the master password.

On iOS, I made a simple shortcut[0] where you share a url and - thanks to the os autofill - you just get your password copied into the clipboard, no input required at all. Also, on Android there is something similar using the PWA Web Share Target API.

And that's it, thanks for your kind words.

[0]: https://www.icloud.com/shortcuts/2dcb6680e6b3424d8708e673e1a...
xp84·3 yıl önce
Don’t forget the even stupider variant, the allow-list of like 5 symbols. “Tell me you failed infosec 101 without telling me you failed infosec 101.”
NegativeK·3 yıl önce
There's a local government website that requires eight or fewer characters, and the eighth character has to be a digit.

They've tried to change the requirement, but it comes from vendor software. The vendor just waves around a middle finger and points to the contract.
karmakaze·3 yıl önce
> But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.

That's funny, I've stopped caring about remembering most passwords and use the "forgot my password" loop as a login mechanism for rarely accessed sites/services. I also only enable 2FA on important ones like email, github, or banking. Basically my threat model includes my ability to lose things.
pacifika·3 yıl önce
This works until you want to change your email domain (or provider in some cases)
browningstreet·3 yıl önce
944 items in 1Password (fingerprint me!)

I'd have more but even 1Password doesn't always catch when I'm creating an account login, or resetting a password, etc. I do the work to input some of them, but not always (I get lazy).

I do try a lot of tools, and I have a lot of personal and professional GMail OATH logins too, which -- fortunately -- 1Password now tracks.
freitasm·3 yıl önce
I have 872 according to BitWarden: https://cdn.geekzone.co.nz/imagessubs/3c01663b43a16e0b50577a...

I don't use OAuth, except for two services - which I could switch to user/pass if I really wanted.
mfontani·3 yıl önce
380+ logins on bitwarden

45+ 2FA on Authy

2 yubikeys

It gets... pretty confusing, especially as I've not checked the gopass repo, where I keep _other_ stuff, too...
jeroenhd·3 yıl önce
Bitwarden lists 791. A ton of them are for internal services/local dev accounts/what have you, but that's still a pretty long list.

I don't use most of them. A third of them are for my spam email address. I'm starting to notice Bitwarden taking its sweet time decrypting them all, though.
irrational·3 yıl önce
According to bitwarden, I have 363. Though, I have more than that that are not stored in bitwarden. Some of them are my work accounts, others are ones I created while on mobile where it is a pain to add them to bitwarden. The real number is closer to 400.
bigburner·3 yıl önce
Where I work 'Single Sign On' doesn't live up to its name; many of us spend the first 5 minutes of each day signing into things, waiting for the 2FA code, entering it, then rinse and repeating for a half-dozen apps.
djha-skin·3 yıl önce
The problem with this metric is that several of those accounts are defunct or no longer even in existence. It's much easier to add to my keypass than to delete from it
SAI_Peregrinus·3 yıl önce
751 entries in my KeePassXC database. I'm sure a number of those accounts are for long-dead sites, and many of the rest are throwaways I don't expect to use again.
snailmailman·3 yıl önce
Over 300 in a self-hosted vaultwarden. I’ve got my vault password memorized but that’s about it. All 300+ are secure randomly generated ones that I do not know. And I’ve got 2FA stored there too.

Despite the huge number of accounts, logging into anything is seamless across any of my devices. And access to my vaultwarden is securely protected. Password managers are great. Really looking forward to vaultwarden eventually storing Passkeys as well, and using passkeys to login instead.
an_ko·3 yıl önce
What's the point of 2FA if you store it in the same place as the first auth factor?

Or maybe I've misunderstood. Are they behind different master passwords or something?
snailmailman·3 yıl önce
If an individual account password leaks, the second factor still protects the account.

This primarily only protects against leaked passwords from the site being hacked. Not from vaultwarden being hacked. But if my vaultwarden gets hacked I’m done anyway. They will had to have used multiple factors to get into the vaultwarden anyway.

Quick edit: I’ve also got all the codes in an actual Authenticator app on my phone (so I can get into vaultwarden if I have to) But they are additionally in vaultwarden for convenience. When vaultwarden autofills, it copies the code to my clipboard and I can seamlessly pass the second factor check. Either way, access to the codes needs physical access to a device I’m already on. In practice I’m only ever logged into vaultwarden on my phone and my PC, although I could login remotely if I had to. As an additional safety measure, when my vault is logged into some monitoring software sends me a push notification through an external service.
kombustor·3 yıl önce
As far as I understand it:

The password is the "thing you know" and the password manager file is the "thing you have". So if someone compromised your email account knowing your password, they still need to access your password manager file to get access to the 2FA codes.

So it's still a second factor in that sense.
suddenclarity·3 yıl önce
Slightly below 2000 last time I looked. Most sites don't support deleting content or accounts. In best case they just "anonymize" you. So it just keeps growing...
[deleted]·3 yıl önce
smsm42·3 yıl önce
1146 in Bitwarden. But a lot of them are old, and some accounts aren't in BW.

> Obviously, anything with OAuth is "bundled" into my Google account.

I too used to live dangerously. But then I took an arrow... sorry, wrong one... then I read too many stories about "Google locked my account and now my life is ruined" and stopped using Google auth with anything but the least important sites on which I wouldn't mind losing the login.
ofalkaed·3 yıl önce
HN and a few forums, bank, email/cloud, website (which is really just storage for ancient stuff I have mostly forgotten but occasionally have a use for) and that is about it. I use guest checkout when ever possible and if I buy from a site which does not offer it I just close my account as soon as I finish checking out. I never made the switch to password managers and the like. I have all of my passwords memorized.
brickfaced·3 yıl önce
KeePass says 305. That's a few decades' worth of logins across everything from Yahoo! to GMail to random online storefronts. Unique password for each. Doesn't include old accounts I've deleted where possible. Not all services offer account deletion, sadly. When I can't delete an account I leave it with blank or garbage contact info and link it to a one-off email alias for spam prevention.
plantroon·3 yıl önce
I have 728. Before Bitwarden I used password store. I migrated with a script about 2 years ago, and I still don't have all the necessary metadata in at least a half (meaning there is no icon, usernames are messy, etc). I only update the old entries whenever the accounts are needed, meaning that I haven't used half of them in 2 years. So I "actively" use about 360 accounts on various services.
tzhenghao·3 yıl önce
I have over 300 on 1Password, some with more than 5 different accounts from the same site like Google and Slack. I also lean heavily on the 1Password extensions to help on the retrieval part.

It's incredibly insane but I manage it by adding a namespace postfix so it's easier to identify which when autocompleting login forms. For example, "Google (Personal), "Google (UMich)" etc.
jeanlucas·3 yıl önce
952, I store accounts user and passwords that I have since 2011, and I like to try new services. Especially to give feedback to makers.
verandaguy·3 yıl önce
I'm pushing 600 in my main password manager, but most of them aren't unique — I just use "farce72$" by default since it hasn't shown up in HIBP (yet -- fingers crossed) and hits three of the major character classes, so it's pretty high-entropy.

The password manager mostly serves the role of autofilling stuff in browsers.
BLKNSLVR·3 yıl önce
In case anyone's wondering, it's not the HN password (with or without quotes) :)
verandaguy·3 yıl önce
I wondered if anyone would try that :)
loeg·3 yıl önce
Uh, looks like 1200. A few duplicates from LastPass or the LastPass -> 1Password migration many years ago, I forget.
zimpenfish·3 yıl önce
1456 items in Bitwarden; 1180 have both username and password but there's a lot of duplication - e.g. I've got 6 items for my local nzbget instance (all the same u/p combo.)

This is an accumulation since ~2010 starting with 1Password, then LastPass, then Bitwarden.

[edit: 1339 items have a password but only 1180 of those also have a username]
lukevp·3 yıl önce
Do you know you can add multiple URLs to the same un/pw and it will autofill on more sites?
YourDadVPN·3 yıl önce
Roughly 350, all with unique passwords and mostly with unique email addresses too. They're categorised, and the only categories with more than about 20 entries are catch-alls I never look at anyway. It's pretty useful and sometimes interesting to go on a website and find out I made an account there two years ago.
imvictor·3 yıl önce
https://imgur.com/G7RUsYf

I'm running around 838 accounts because why not? I have a unique password for each login since five years ago. I went from LastPass to 1Password and finally settled on self-hosted Bitwarden(Vaultwarden) a year ago.
michaelsalim·3 yıl önce
531 in my bitwarden storage. I don't create an account unless absolutely necessary. So the number is higher than I thought.

I guess most of it is likely work related. I cycle through many projects. Each of them have many accounts tied to them. Eg: DNS, domain, hosting, etc etc. Not to mention all the business systems like HR.
marssaxman·3 yıl önce
There are 92 entries in my credentials archive. I try to avoid creating them if at all possible, and I never use OAuth.
[deleted]·3 yıl önce
bikingbismuth·3 yıl önce
Checking 1Password, I have 283. If I include sites I keep only in my brain that is probably a touch above 300.
rollopack·3 yıl önce
In Firefox's about:logins I have 1333 saved credentials
ajdude·3 yıl önce
My keepass says 484, but I have a feeling there's duplicates. I really need to curate these better.
rout39574·3 yıl önce
Hah! Password count cousins! I'm 484 in lastpass.
zantsuken·3 yıl önce
I've got about 307 on KeePassXC, with the oldest generated password from 2016.

307 includes stuff like security questions as well though, so the answer to "What is your mother's maiden name?" tends to be something along the lines of "f+2Tng+DO?X).`W/7*5IQ_"
kdklol·3 yıl önce
My BW stands at 52 logins right now, but it's not yet quite complete. I think I'm missing a couple banks. Over the last year or so however, I cancelled almost 100 accounts, ranging from obscure forums, trough hosting providers, to facebook. It was a herculian effort, as companies put up emmense barriers (especially the hosting companies), but I somehow got it to the minimum I can realistically have - which is roughly 60 I think.

I try to avoid SSO, only exceptions are a single forum, which had broken registration, and my uni. Why? 1. SSO is a single point of failure, which you (unlike BW) cannot audit yourself; 2. You have to trust it's not gonna sell your data - perfect graph of services one person has is of course very juicy information; 3. They the make management of one's accounts slightly harder, as you cannot easily know how many you have by looking into your BW; 4. You are locked into your SSO service.

For MFA, I use fido keys (yubikeys), which I have to highly, highly recommend. Not only are they miles ahead of anything else, but they are also so easy and quick to use. I have a little one permanently in my usb port and to log in you just touch it. I'd recommend this if you are MFA-fatigued. Obviously, I always take the best form of 2FA available regardless.

All passwords in BW are long random alphanumeric and I have a XKCD-style password for that and something similar for FDE/logins into computers.

BTW, getting BW was the best decision I could have made, not really for security (although that's obviously the point) but fkr convinience. No more silly variants on passwords and no more guessing emails for reset.
SergeAx·3 yıl önce
I have 967 entries in my KeePassXC database. That includes tons of now obsolete logins and passwords from previous jobs or/and defunct services. It doesn't bother me, and I dont want to spend days just to validate/clean up it.
EVa5I7bHFq9mnYK·3 yıl önce
Hard to know, I have 20 to 30 Facebook accounts, mostly bought from account seller sites, becaused I wanted to see various Facebook pages not accessible to outsiders. Not sure how many of these passwords still work.

My oldest working account is probably 1996's ICQ.
daneel_w·3 yıl önce
My keychain has 54 items in it. I think at least 5 of them belong to things I've shut down.
ivolimmen·3 yıl önce
I have 358 keys in my keepassxc. Loads of them are from a distant past; I never had the urge to clean them up. If I delete a password I also want the account to be deleted so that costs too much time... now at least I know who knows me... ?
dotancohen·3 yıl önce
My password manager has four digits of credentials stored. It dates back to when years began with the digit 1. Certainly _most_ of those are no longer in use, but maybe the time has come to see if Taco is still posting to Chips & Dips.
bastijn·3 yıl önce
My password manager says 407 currently in my vault. I only use social login for very very limited amount of sites. My default option is to create app/site specific accounts so I can append my email with +sitename to see who leaks my data.
ctoth·3 yıl önce
Exactly 256 in Keepass currently.
gaurangagg·3 yıl önce
Earlier I used to maintain the passwords in an Excel and the life in a way changed when I discovered Password Manager KeePassXC - which is amazing.

For my frequently accessed accounts, I also prefer Apple Keychain to login faster across the devices.
tgv·3 yıl önce
360 for websites (most of which I've only used once; the oldest are dated 2011, but those are probably import dates, as they all have the same timestamp), and 100 or so for more serious stuff (banking, routers, etc.) in KeePassXC.
LorenDB·3 yıl önce
I have 93 personal accounts in my Bitwarden, plus 13 that I have categorized as "deprecated".

I don't think 176 is wildly unusual; it may be a bit higher than some people, but it's certainly not a Guinness World Record or anything like that.
lucb1e·3 yıl önce
808 in my password manager, plus a few in my head (stuff like bank logins and the pwd manager's password) or cold storage (no e-money, but e.g. the manager's password and passwords to unlock system backups).
12907835202·3 yıl önce
I have over a thousand and hundreds of warning about compromised passwords.

Annoyingly they're all for forums I was part of as a teenager 15-20 years ago with a dead email address referencing pink monkeys.

I just never get round to cleaning it up.
gigel82·3 yıl önce
284; that's with actively trying to purge the list every 3-6 months (sometimes just an online form but for more obscure / smaller sites, it's a couple of weeks and chains of emails back and forth).
clircle·3 yıl önce
Presently I have 384 entries in KeepassXC, but it's not all online accounts. Sometimes I just put info in my keepass vault because I want to have easy access to it while I'm at my computer.
GabeIsko·3 yıl önce
It's a good day if I can get through it without creating an account.
p2hari·3 yıl önce
700 plus on Bitwarden. And a lot of Oauth with google and GitHub. 200 plus on Chrome personalised window. Around 100 on Samsung pass for apps that I don't have access on web.
blitzar·3 yıl önce
746 accounts.

746 unique passwords, ~600 unique usernames, ~600 unique email addresses.
retrobox·3 yıl önce
More than 1000. More than I'd like. I can't help but wonder how many websites my personal information is on at this point between random shopping, forums, and all the rest.
simonjgreen·3 yıl önce
1,742 according to my Bitwarden on Logins :grimace:

Given my use of password managers goes back to pre 2000 I'm willing to bet a sizeable percentage of the sites don't even exist any more
gzer0·3 yıl önce
I have over 4,000

This is because I rotate accounts frequently (well, besides here).
mindwork·3 yıl önce
376 items accumulated over 12 years using password manager and multiple cleanup runs. I think top for me was around 480.

It was hard to find it in the new version of 1password
hammyhavoc·3 yıl önce
~15,000 after being online since the '90s. A lot of them won't work anymore, that much I'm certain of. A lot of things have come and gone in that time.
ChoGGi·3 yıl önce
> Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.

If Google ever pulls the plug on you, you're in for a bad time.
xp84·3 yıl önce
I guess despite how cool it is to hate Facebook in 2023 there’s a really solid case to be made that it’s a smarter “OAuth” choice than Google, since with Google, if you fell back to resetting your password for another site to get in after a Google account shutdown, the email on the account would be the same Gmail account that you’re locked out of!
ddp·3 yıl önce
1112+, plus 25 in Microsoft Authenticator w/ cloud backup enabled, and a Yubikey 5c FIPS for every device I care about.
nikolay·3 yıl önce
Between 3,000 and 4,000 (1Password no longer shows the count).
menshiki·3 yıl önce
Over 100 in my password manager. I use log in with Apple wherever possible. If a website does not matter and does not support Oauth with Apple, I will use Google.
anonzzzies·3 yıl önce
899 in Bitwarden and that is after cleaning and excludes ‘lazy’ accounts I logged into with google or facebook (those I generally don’t use or find important).
hhh·3 yıl önce
600 in Chrome. 800 in iCloud Keychain. I assume there's a % of duplication between the two, since I don't really use Chrome anymore outside of Windows.
ioman·3 yıl önce
Went and checked my 1Password. Apparently, I have nearly 1,800! My oldest remaining password was created in 2010, so I've been using it for a while.
huimang·3 yıl önce
445 logins for me on a self hosted bitwarden (vaultwarden) instance. Although a lot of those are for user & root logins to local machines I provision.
neon_electro·3 yıl önce
1,226 items in my 1Password database. Very happy customer.
manuelmoreale·3 yıl önce
410 according to 1 Password. I do periodic cleanups though and I should probably do one soon so the number of actual, in use, logins is probably lower.
_8j50·3 yıl önce
Please tell me you let chrome save and sync your passwords lol. Always a delight for pentesters and real attackers a like when people do that.
tasuki·3 yıl önce
206

Not counting all the sites for which I use the "Log in with Google/Facebook/etc". Many of these credentials I haven't used for years.
narag·3 yıl önce
About 200, but no more than 30 are used often and maybe 5 are important.

I don't want to tell how I store them, but for these 5, I could even memorize them.
jimnotgym·3 yıl önce
Around 1,000 in 1password. I use 1password because many of them are shared.

Edit. That is only my work 1pass. I have a personal instance too with a few hundred.
pimlottc·3 yıl önce
I'm curious, do you actually have ~1,000 work-related accounts? Or second accounts/alts for various non-work sites using your work email?
jimnotgym·3 yıl önce
I have zero non-work sites on my work email.

Crazy isn't it. Not everything is a login, and not everything is a password. There are keys in there for instance, and some credit cards. The majority are logins though. Crazy, isn't it.
BaudouinVH·3 yıl önce
https://i.imgur.com/QHMavTm.png

1078 - many I of them I've used once
michaelmior·3 yıl önce
Bitwarden lists 1,601 for me. That's not counting sites that use Google, GitHub, et al. for auth which I will often choose if offered.
butz·3 yıl önce
Who knows, some idiot keeps using my email and signing up on various spammy services. Probably time to get a new email address.
nokya·3 yıl önce
I see many people mentioning the number of passwords in their KeepassXC. I can't find the option for that. Where is it?
5e92cb50239222b·3 yıl önce
Ctrl+Shift+R (or Database → Database Reports)
_benj·3 yıl önce
Before posting I was looking at the comments to see how bad I was… after seeing 1k+ it seems like I’m fine with my 627 bitwarden items!
ftxbro·3 yıl önce
this is nuts, i was expecting people to say like 8
Havoc·3 yıl önce
Maybe 200ish or so

Loads of old crap though. Will clean it out next time I'm migrating passwd managers. Probably 50-ish that actually matter
JohnFen·3 yıl önce
I have 7, unless you include logins to the various systems and servers attached to my network. Then I have ~100.
throwaway019254·3 yıl önce
800 logins in my Bitwarden.

These are logins I collected over the last 15 years. A lot of them are for pages that don’t event exist anymore.
INTPenis·3 yıl önce
I have around 40 2fa codes alone, number of accounts I don't even care to count.

find .password-store -type f | wc -l says 1248.
lytedev·3 yıl önce
$ pwd && fd --type file | count /home/daniel/.home/.password-store 512

Need some cleanup I supposed...
davidn20·3 yıl önce
515 - thank you Jesus for password managers
beaugunderson·3 yıl önce
1Password tells me I have 4,182 items... and that's probably not even everything.
donaldihunter·3 yıl önce
1Password says 348 for me, and I know there's many more that are autogenerated and stored in a keychain.
deathtrader666·3 yıl önce
1300 as per 1Password.. and must be 500+ in my old Firefox account that I didn't bother exporting.
Brajeshwar·3 yıl önce
3,995 by 1Password as of May 21, 2023.
jonathantf2·3 yıl önce
1Password currently has me at 476 logins, I assume some of those are duplicate accounts or burners.
a10c·3 yıl önce
593 for me in 1Password
aslilac·3 yıl önce
238 according to 1Password. Every time I add a new one I feel a piece of my soul leave my body.
extesy·3 yıl önce
2151 according to Bitwarden. That's what 25 years of actively using internet does to you :)
shmde·3 yıl önce
2151 is insane. Share any fun/quirky/useful uncommon websites ?
dt3ft·3 yıl önce
What is bitwarden doing to help lower the number of accounts, exactly? I'm out of the loop.
NegativeK·3 yıl önce
Bitwarden lowers the mental burden for secure (which includes unique) passwords, precisely because we have a crap ton of accounts.
gjsman-1000·3 yıl önce
And I thought I was out of hand with 496 in 1Password… now it feels quaint looking around here.
lorenzk·3 yıl önce
809 in Bitwarden. Collected and migrated over the years from lastpass to enpass to bitwarden.
aranke·3 yıl önce
203 according to 1password, but I archive the ones I don't need roughly every year.
frompdx·3 yıl önce
I have 260 items in my vault. Of course, I'm sure it could use some tidying up.
sevensevennine·3 yıl önce
1Password deleted more of my accounts than that when it crashed the v8 upgrade. SK
rtsil·3 yıl önce
1105 according to Keepass. Although at least a third of these are no longer active.
johnorourke·3 yıl önce
woop another Keepass user!
magicjosh·3 yıl önce
Anyone experimented with Sign in With Ethereum?

Wallet based login and account management onchain.
nyadesu·3 yıl önce
319, currently using Bitwarden to manage them and been pretty happy with it so far
sigio·3 yıl önce
about 750 in my personal 'pass' store, and about a 1000 in the shared password store for work. Bitwarden probably has a significant subset, but I prefer to keep 'pass' as authoritative source.
thr0waway001·3 yıl önce
Personal ones close to that. But as a contractor, way more than than 176.
MacsHeadroom·3 yıl önce
About 1,400 in KeePass.

Perhaps a poll would with ranges would have been better.

0-100

101-300

301-800

801-1200

1200+
jeanlucas·3 yıl önce
Indeed, although it would not be that hard to parse all replies and plot it.
8ytecoder·3 yıl önce
1906 items in my 1Password. Not including those I archived or deleted.
StopHammoTime·3 yıl önce
636, and I lost a lot of them about 9 years ago.

I’m honestly surprised I’m not over 750.
arisAlexis·3 yıl önce
You mean since I started using the internet in 1995? Or only live ones
nikisweeting·3 yıl önce
1361 in 1Password, probably ~100 that I use at least once per year.
smcleod·3 yıl önce
Looks like I have 2160 in Strongbox (recently moved from 1Password).
SoftTalker·3 yıl önce
A bit under 200, but only around 20 that I use with any regularity.
spiffytech·3 yıl önce
My Bitwarden says 1,703.

I'm surprised to see so many people with low hundreds.
quicklime·3 yıl önce
312 entries, although only 37 were accessed in the last 12 months.
1827163·3 yıl önce
182 logins here, although most of them aren't used frequently.
nathias·3 yıl önce
imo the best way to handle this would be to have identities on browsers, and then have browsers automatically handle the logins without the user seening any passwords
rain1·3 yıl önce
I feel like this isn't healthy for a human being
efitz·3 yıl önce
I have 921 items in 1Password; most of them are logins.
rasse·3 yıl önce
800+ entries linked to 784 unique email addresses.
web3-is-a-scam·3 yıl önce
Hundreds. I’ve lost count they’re all in 1Password.
drakonka·3 yıl önce
I currently have 344 accounts in my password manager.
2-718-281-828·3 yıl önce
611 entries in my password database (pwsafe.org)
colinmegill·3 yıl önce
241 in 1password 340 in Google Password Manager
aio2·3 yıl önce
I'm not joking... I have 69 logins lol
Semaphor·3 yıl önce
Over 500, though I have no idea how many of them still exist. I use a password manager and unique email addresses, why would I care how many accounts I have?
hotpotamus·3 yıl önce
What are you using for unique email accounts? DIY or some service?
Semaphor·3 yıl önce
DIY on fastmail with custom domain.
LeonB·3 yıl önce
Over 1000 entries in my password Tracker.
nektro·3 yıl önce
241 logins for me
whoami_nr·3 yıl önce
I have 454 logins in the Bitwarden
uguuo_o·3 yıl önce
Personal ~10 Work related maybe ~20
c17r·3 yıl önce
According to Bitwarden, 479 accounts
distances·3 yıl önce
Hehe exactly the same number I have in KeePassXC, 479. I'm pretty sure many of these services have shut down years ago.
kdne_jdnf·3 yıl önce
About 500-600 items
synthc·3 yıl önce
437, accumulated over 2 decades
adontz·3 yıl önce
183 after some recent cleanup
AH4oFVbPT4f8·3 yıl önce
1322 currently in Bitwarden
pt_PT_guy·3 yıl önce
886 according to keepassxc
pps·3 yıl önce
467, says my Bitwarden :)
carom·3 yıl önce
295 items in 1Password.
tkuraku·3 yıl önce
241 logins in kepassxc
KomoD·3 yıl önce
939 accounts in 1PW
Daunk·3 yıl önce
Currently at 307.
tananaev·3 yıl önce
963 in Bitwarden
skyzyx·3 yıl önce
Over 900.
janosd·3 yıl önce
Right now, 90-ish, but I used to have many more. Lately, I'm religiously deleting accounts (which I finally am able to, thanks to GDPR).
Exorus18·3 yıl önce
2
petarb·3 yıl önce
1955
abrkn·3 yıl önce
1,413
wintorez·3 yıl önce
364
zainhoda·3 yıl önce
373
Fancy5189·3 yıl önce
1249
bingohbangoh·3 yıl önce
335
metaltyphoon·3 yıl önce
93
purplecats·3 yıl önce
1,101
snihalani·3 yıl önce
1072
moltar·3 yıl önce
1000s
alxjsn·3 yıl önce
633
gnrlst·3 yıl önce
600+
gepiti·3 yıl önce
Only 375.
escapedmoose·3 yıl önce
326
i2cmaster·3 yıl önce
1) Avoid making accounts in the first place. You almost never actually need one.

2) Recognize that for nearly all sites keeping your account secure is more their problem because they're trying to fight spam than it is your problem.

I think I have about five logins that actually matter and the rest maybe they work or maybe I have to ask for a password reset/new account when I use the service.
sieabahlpark·3 yıl önce