Some are un/pwd (easy), some are Log in with Google, Apple, etc, but those aren't captured and aren't easy to track unless I manually add it to the Passwords app with some invalid password that's an indicator of how I signed in.
Do you just use a password manager ... 1Password, Lastpass or the like?
I always, without exception, will sign up with a username & password. I would never use a"Log in with". To me, if I am logging in through a different company then it is that company who has control, not me. There are tales here and elsewhere when Google has nuked someone's account. That's bad, but if you logged in with Google on other sites then you are completely screwed. Same applies to other companies.
I won't be using the Apple Passwords app.
And anyway… if Google has locked you out, you can’t access your Gmail to reset your password, even if Acme auth lets you.
In contrast: if you log into Acme with username and password, you can authenticate with Acme at any time, even if Google has locked you out. Acme does not need to check with Google to log you in… even if your username is a Gmail address.
If you’re going to use a password manager anyway, just do a fresh username / password whenever possible for each new service. It’s the most resilient and future-proof way to go.
It's like storing a photo of gold bars inside your basement safe.
With almost zero extra effort, you could be in control of your own keys. You already have the entire infrastructure set up to do this and all you use it for is a glorified log book?
Can someone explain this?
You go from delegating some of the most important elements of your life to a third party who can take your account away at any moment with no recourse (an extremely vulnerable position), to having complete control over all those accounts, with zero extra effort.
It's very confusing.
So I default to always looking to create a login with an email address, rather that using another identity provider. And passwords are kept and sycned with bitwarden.
Also remember that one day Google will eliminate Login With.
And if you do login with Apple you can never escape the Apple Tax even if it declines or gets broken up.
The most recent example was a GitLab instance that was demanding my password before it would let me update the email address on my account. I didn't have a password, because I created the account by logging in with another site. Tech support was nonexistent. I ended up abandoning the account.
Also remember that one day Google will eliminate Login With.
And if you do login with Apple you can never escape the Apple Tax even if it declines or gets broken up.
I worked at a huge company with Login With. Only a fraction of people used it so we didn’t have time to support the hundreds of corner cases properly. So best bet was to rip it out.
And it’s a very good suggestion. I do something similar, but instead of using a note, I just write it in the username field
Yes.
> Log in with Google, Apple
I simply don't, ever, use those options.
At least, not anymore.
I have a few legacy logins.
And a few where I’ve connected my accounts - GitHib for instance to get Jetbrains Student Discounts.
But where possible, I avoid!
Also, the obnoxious login with Google prompt in Chrome actually costs businesses money!
I’ve had multiple clients run up paid support because they thought they’d lost their account because they clicked the login with Google option and all their account info seemed to have vanished! (Not my services, just ones I was supporting them using).
To everyone worried about Google closing and not being able to login via Google... what email provider do you use? Because if Google closes Login With they might as well close or lock you out of GMail and if that's your email provider you're screwed as well right?
Your best move is to always set a secure password and use a password manager.
Also remember that one day Google will eliminate Login With.
And if you do login with Apple you can never escape the Apple Tax even if it declines or gets broken up.
You probably won’t even be able to move your account to a password one you’ll just lose access (another unsupported “corner” case)
Yes. I recommend KeePassXC[1] or GoKey[2].
> Log in with Google, Apple
No, never!
In your Google account settings look at Security then See All Connections. Can also remove those individually if you want.
I try and avoid SSO for the most part.
I like being able to use Gmail modifiers so I can create filters if I need to block certain accounts from being spammy.
first.last+serviceURL@gmail.com is usually what I use. So like first.last+news.ycombinator.com@gmail.com. Every service gets their own alias modifier. Then if I ever need to turn it off, I can just set a filter and they're done. Plus, this way I always know who sold my contact info.
More examples: https://news.ycombinator.com/item?id=41335286 https://news.ycombinator.com/item?id=41335369
It might be easier to understand if you substitute "x" here with, say, "encrypting passwords with MD5". It illustrates better why someone might think giving "I don't do it" style of responses instead of directly answering the literal question that was asked.
Back to OP's specific case, maybe they keep creating accounts with SSO login only due to inertia and haven't really thought about reevaluating this habit. Not saying this is the case, since we don't know the specific reason OP is using SSO (e.g. if it's convenience, what makes SSO more convenient than the password manager? maybe they are following the recommendations from some random blog post that assumed a different threat model?).
So, alternative points of view might still be useful, if only as food for thought. Maybe a more fitting solution might come out of such discussions.
Nowadays, I use a combination of an online password manager (one that hasn't been hacked yet, as far as I'm aware) and Rooster as a backup.
* A password manager (PasswordStore [0]), in which I may make entries without passwords but where I indicate my ID on a given account.
* A personal wiki in which I may indicate for something that I have an account connected to e.g. Google or whatever.
When I come to some service that I vaguely remember having used before, I will find the necessary info either in my personal notes or in my password manager.
[0]: www.passwordstore.org
I never use any other third-party authentication service. I don't want to give Google any more information than I can avoid about the sites I visit, and I've barely even used my Facebook account for the past decade+.
If I'm using a third-party to log in then it's a burner account that I don't care about, and am basically using because I don't think whatever tool or site should need a log in to use.
Avoid.
Where you find this is:
1. Go to your Google Account (e.g. www.google.com, click on your avatar, then on Manage Google Account in the popup that appears.)
2. Click on Security in the left navigation pane.
3. Scroll down, and find a box "Your connections to third-party apps & services".
That reminds me, I did a "continue with Google" on the Scribd website the other day, only to be told I had to also give them a credit card so they would let me start the free trial to view someone else's copyrighted PDF that they have no right to sell, and that I can find somewhere else. I have to revoke the association to these scumbags.
