
I Have 800 Passwords - edent
https://shkspr.mobi/blog/2019/02/i-have-800-passwords/
======
gregmac
I'm not sure what the big deal of this is. I've been using a password manager
for many years now, and have no idea how many total passwords I have, nor do I
care. I don't ever look at the full list (only search it), and there's really
no cost to having lots.

In fact, many times, I've gone to a site for what I thought was the first
time, and was surprised to see I had an account already. If I had done a
purge, I probably would have deleted a bunch of sites like this. My account
would still be there, but inaccessible.

I also use a unique email for every site (via a catch-all subdomain), and in
the past couple years, also started making random usernames for any sites
where I don't care about the username (eg, no social component). This helps
protect me from compromised sites, because I can block the email address if I
get spammed by it. I think I've only done that once in the past 15+ years,
though spam filters also really make this a non issue for me the days.

~~~
berberous
I also have hundreds and hundreds of logins and my issue is that every week
now some site gets breached. A lot of them are super old and I'd prefer to
have the site delete all my info, but it's too time consuming to manually do
that.

That /well-known/ idea is great. There should be a /well-known/permanently-
delete, so that my password manager can scrub my old accounts with one click.

~~~
btrettel
I don't think sanitizing or deleting online accounts is that time consuming. I
have about 600 accounts listed in my password manager, about 300 of which are
categorized as either offline or deleted.

Starting late last year I went through my accounts and started either deleting
the ones I have no intention of using in the future or, if deletion is not an
option, sanitizing them. It doesn't take that long to sanitize 10 accounts,
and takes even less time to identify whether a website is still online. I've
probably sanitized or deleted around 100 accounts now, starting with the ones
I guessed would have the most data on me.

I've also been pleasantly surprised by how helpful most webmasters have been
with removing or sanitizing PII if they won't let you delete an account.

One notable exception: Airbnb. They claim online that they will delete your
account if asked but refuse if you do ask. I had no intention of using Airbnb
in the future, but now I'll actively discourage others from using Airbnb.

[https://www.airbnb.com/help/article/240/how-do-i-
deactivate-...](https://www.airbnb.com/help/article/240/how-do-i-deactivate-
or-delete-my-account)

~~~
scrollaway
I know (from your site) that you're not european, but to any EU citizens out
there reading: Know your rights. You can unrequivocably request deletion of
your personal data, including your account, if it's known to be stored
somewhere on the internet (edit: or even off the internet. Physical records
are covered!). There are rare exceptions (eg. financial data required for tax
purposes, security/compliance, …), but I've never seen it be an issue. And if
it is an issue, there are enforcement organizations that _will_ help.

~~~
Mirioron
Too bad that almost all sites you'd actually want to use or have used are
outside of the EU. Unless it's a big site they probably have no EU presence
and there would be no way for the EU to do anything.

~~~
mmmmpancakes
I don’t know if you are right. Being hosted outside the EU doesn’t seem to
exemt companies that handle EU citizens data from complying with EU privacy
laws.

------
franky47
That /.well-known/change-password redirection is very clever. Easy to
implement, and could automate a lot of things (good or bad, obviously it
relies on your password change strategy to be good [0]).

I've only discovered (ironically) the .well-known scoped routes with
LetsEncrypt, and more recently with Keybase's validation [1] and security.txt
[2], is there a global registry that lists initiatives that make use of this
route ?

[0] [https://www.troyhunt.com/everything-you-ever-wanted-to-
know/](https://www.troyhunt.com/everything-you-ever-wanted-to-know/) (warning,
some NSFW content)

[1] [https://keybase.io/](https://keybase.io/)

[2] [https://securitytxt.org/](https://securitytxt.org/)

~~~
ilikepi
IANA maintains a registry[1], but there are some notable absences. Your
change-password is one example. Apple has at least one[2] and probably more
URIs coded into Safari that aren't listed.

[1]: [https://www.iana.org/assignments/well-known-uris/well-
known-...](https://www.iana.org/assignments/well-known-uris/well-known-
uris.xhtml)

[2]:
[https://developer.apple.com/library/archive/documentation/Ge...](https://developer.apple.com/library/archive/documentation/General/Conceptual/AppSearch/UniversalLinks.html)

EDIT: typo

------
ChrisGranger
I try to prune my passwords of obsolete or unused accounts about annually or
so, making it a much simpler task.

One of my pet peeves is a site that lacks a 'Delete Account' option.

I _really_ like this "well known" "change password" scheme... Hopefully that
gains traction!

~~~
NullPrefix
Just send a GDPR request.

~~~
ChrisGranger
Does that actually work for websites and users not in Europe?

~~~
tyfon
Doesn't hurt to try.

I have yet to prove that I am European when submitting requests for data and
removal.

~~~
Mirioron
Are you saying that those DSARs are leaking data then? Because if they don't
sufficiently check whether you're who you claim you are then that sounds like
a great way to collect personal data on someone.

~~~
tyfon
So far it seems that a the "sender" field in the email is enough.. I suspect
they would do it with a reply-to: header as well so yes many are probably
leaking in this way.

It's a bit different for the companies that operate using a SSN of course.

------
duiker101
Relatively off topic but I didn't know about BitWarden and stuck with LastPass
since it's the only one that didn't have particular limitation for free users
but I find it a bit cluncky. BitWarden looks amazing and I will definitely
give it a shot!

~~~
jchw
Bitwarden has been nice. I migrated from 1password and while I can easily
recommend both, I think I like Bitwarden more, especially on Android where the
fill service works more consistently.

~~~
EduardoBautista
Bitwarden uses an electron app. For that reason alone I could never switch to
it.

~~~
duiker101
What do you even need the app for? You can just use the browser extensions. I
also just tried the desktop app and it's not too bad for an electron app, not
particularly good either tho.

------
tylerl
I just checked my LastPass acct... I have over 1600 passwords saved. I don't
see this as a problem. It doesn't slow anything down, it doesn't add
complexity to my life. It's not unsafe in any way. It's fine.

------
web007
This is what OpenID was supposed to solve - you can have one password, on a
site you own, that is your master key.

The problem is that every implementation is 99% the same and 1% WTF, so the
concept never caught on. So now we have FB and TWTR and GOOG and no other
options.

~~~
shurcooL
I can't say it has caught on, but there exist _some_ sites where I can login
with my own website. [https://indieweb.org](https://indieweb.org) is a good
example of that.

There are also tools like [https://indielogin.com](https://indielogin.com)
that make it easier to add support for that to your own site.

------
admax88q
To 90% of my online accounts I just do the reset password flow every time I
need to log in.

Most accounts I use a few times a year I don't care for the overhead of
remembering of dealing with a password manager to save me a few minutes every
year.

~~~
tandav
So we don't actually need passwords. For many services magic links are better
(imho)

~~~
kgwxd
I'd prefer to be able to sign up for things without giving out any contact
info until a service proves useful enough to deserve it. Also, what happens
when your email account gets closed unexpectedly? You'd have to give multiple
forms of contact to avoid problems. Fine for stuff like banks, but not for
cool-new-service-of-the-day.

~~~
r3bl
Use your own domain and just switch email providers?

Yeah, it costs a bit and requires some understanding, but at least among the
HN crowd that's not an unsolvable problem.

------
JohnTHaller
I have 808 passwords, all unique. All stored encrypted in KeePass with an
easily remembered but complex password as well as a 1K key file to access. The
key file was copied via sneakernet from desktop to laptop, phone, and tablet.
The password database is as well (which does add some security for some
inconvenience), though I may switch it to a cloud drive at some point as I
have setup for others.

This setup is free and more secure than a cloud-hosted service. It also never
goes 'down'.

~~~
Mirioron
You could have two password databases: one with less important stuff that you
sync through the cloud and another one with the very important stuff that
never touches the internet.

------
jccalhoun
I'm amazed that so many people who are otherwise smart do not use a password
manager. I have been sitting with friends and one says "ugh. I hate when you
can't remember a password and have to reset it." I suggest using a password
manager. It is easy and takes less than 5 minutes "ugh. Sounds like a
hassle..." and none of their pics or personal data are backed up either.
Grrrr...

~~~
beatgammit
Yup, I started using one, and now I only need to remember one password, and
the rest of my passwords are as random as possible. If I forget that one
password, I'm pretty screwed, but at least I'm not reusing the same password
in multiple places.

I honestly think it's irresponsible to not use one these days...

------
cesnja
While waiting for /.well-known/change-password to happen, there's a project
[1] that already enables automating password update on many web pages.

[1] [https://github.com/ddevault/pass-
rotate](https://github.com/ddevault/pass-rotate)

------
zxcvbn4038
I’m a bit over 400 passwords, the password vault was a game changer for me, so
I have 400 unique passwords. I think the next big leap will be having 400
unique user ids, but that is not feasible today since most sites want you to
have a verifiable e-mail and most email providers are still doing the 90s
style - one name is one account even though most email providers don’t charge
any longer (I love you Proton Mail but your about three decades too late, no
matter how awesome your security is, need to rethink your business plan).

------
vonseel
It’s not really painful to search through 800 passwords when logging in to a
website. I have a similar sized 1Password database - actually, just checked,
it’s 895 - and I’ve not once had issues with it.

Just another person looking for something to complain about.

------
DigitalVerse
I feel a lot better that I only have 123 passwords in my vault now, and some
of those are definitely duplicates.

------
stunt
Spring digital cleaning is going to become a thing very soon.

~~~
blfr
I don't think so because unlike physical space, virtual space is borderline
free and getting cheaper. What is the cost of maintaining a database of 800
passwords? The same as one with 80 passwords.

~~~
yjftsjthsd-h
Yep, and there's ease of expansion, too; if I want another hundred square foot
of space in real life, I either need to get a new place to live or start
renting storage units which is a huge pain. If I wanted to add terabytes of
storage to my digital existence, I would go to the store and spend like $200
for an absolutely massive amount of storage. And a mostly full house is a pain
to live in, but a mostly full hard drive is at worse a modest inconvenience to
search through (well, if you're really low on space I suppose writing is
annoying).

------
solarkraft
You use a password manager.

------
mrmondo
2,067 at latest count... (I know it’s not a competition, but interesting none
the less).

------
diminoten
Doesn't trust centralized logins but trusts password manager...

~~~
zxcvbn4038
The difference is that you control your data with the password manager, not a
third party that can be bribed or coerced to grant access on your behalf or to
hand over data associated with you.

~~~
ttoinou
Okay, but still, your pwd manager could get hacked

~~~
jobigoud
Completely different threat model. Unless you use an online password manager,
the only copies of the file are on machines you control. Plus the file is
encrypted and requires a password that only exist in your head. So now you
need physical access and physical violence to break that scheme.

~~~
zxcvbn4038
As always, using a second factor like yubikey is also a good idea. Unless your
that guy who leaves the key plugged into his laptop all the time. I think I’m
going to go around the office one day and replace all the yubikeys I find with
Hersheys miniatures chocolate bars.

