Hacker News new | past | comments | ask | show | jobs | submit login
I Have 800 Passwords (shkspr.mobi)
56 points by edent 28 days ago | hide | past | web | favorite | 60 comments

I'm not sure what the big deal of this is. I've been using a password manager for many years now, and have no idea how many total passwords I have, nor do I care. I don't ever look at the full list (only search it), and there's really no cost to having lots.

In fact, many times, I've gone to a site for what I thought was the first time, and was surprised to see I had an account already. If I had done a purge, I probably would have deleted a bunch of sites like this. My account would still be there, but inaccessible.

I also use a unique email for every site (via a catch-all subdomain), and in the past couple years, also started making random usernames for any sites where I don't care about the username (eg, no social component). This helps protect me from compromised sites, because I can block the email address if I get spammed by it. I think I've only done that once in the past 15+ years, though spam filters also really make this a non issue for me the days.

I also have hundreds and hundreds of logins and my issue is that every week now some site gets breached. A lot of them are super old and I'd prefer to have the site delete all my info, but it's too time consuming to manually do that.

That /well-known/ idea is great. There should be a /well-known/permanently-delete, so that my password manager can scrub my old accounts with one click.

Cleaning accounts from your password manager and cleaning your accounts from the internet are two very different things. The article and my comment were about the former.

I agree with you though, that a well-known url for delete would be good. However, there's likely to be a high correlation between sites that get breached and sites that don't follow best practices, including implementing optional URLs like that.

In general, it's also easy to see why a lot of (non technical) site/product owners wouldn't want to implement that: "why do I care about making things easier for people that want to terminate doing business with me?" Until a majority of users are using a browser/plugin that warns about this ("non trustworthy site: this site does not implement well-known password change or delete account interfaces") I suspect there won't be much adoption, unfortunately. This proved to work well to get SSL widely deployed, so the question is if there can be enough momentum to do it again for these functions.

I don't think sanitizing or deleting online accounts is that time consuming. I have about 600 accounts listed in my password manager, about 300 of which are categorized as either offline or deleted.

Starting late last year I went through my accounts and started either deleting the ones I have no intention of using in the future or, if deletion is not an option, sanitizing them. It doesn't take that long to sanitize 10 accounts, and takes even less time to identify whether a website is still online. I've probably sanitized or deleted around 100 accounts now, starting with the ones I guessed would have the most data on me.

I've also been pleasantly surprised by how helpful most webmasters have been with removing or sanitizing PII if they won't let you delete an account.

One notable exception: Airbnb. They claim online that they will delete your account if asked but refuse if you do ask. I had no intention of using Airbnb in the future, but now I'll actively discourage others from using Airbnb.


I know (from your site) that you're not european, but to any EU citizens out there reading: Know your rights. You can unrequivocably request deletion of your personal data, including your account, if it's known to be stored somewhere on the internet (edit: or even off the internet. Physical records are covered!). There are rare exceptions (eg. financial data required for tax purposes, security/compliance, …), but I've never seen it be an issue. And if it is an issue, there are enforcement organizations that will help.

Too bad that almost all sites you'd actually want to use or have used are outside of the EU. Unless it's a big site they probably have no EU presence and there would be no way for the EU to do anything.

I don’t know if you are right. Being hosted outside the EU doesn’t seem to exemt companies that handle EU citizens data from complying with EU privacy laws.

On paper that's not correct. In practice, what you're saying is likely sometimes true, but I have yet to encounter it.

Smaller sites generally have people on hand and are still human enough that they will at least try to accomodate you manually if needs be. And if they're being annoying with you, and you are pretty explicit about the nature of your request, specific about your rights under GDPR, etc they'll either get scared enough to do it, or figure you're not worth the trouble and do it so you stop complaining.

Really the most annoying services I've dealt with GDPR-wise are in fact large corps with EU presence (sometimes EU-only!), that just don't have enough human elements in their chain to talk to you like a person. And this is something where it's very comforting to know you do wield a lot of legal power to rectify these issues.

That /.well-known/change-password redirection is very clever. Easy to implement, and could automate a lot of things (good or bad, obviously it relies on your password change strategy to be good [0]).

I've only discovered (ironically) the .well-known scoped routes with LetsEncrypt, and more recently with Keybase's validation [1] and security.txt [2], is there a global registry that lists initiatives that make use of this route ?

[0] https://www.troyhunt.com/everything-you-ever-wanted-to-know/ (warning, some NSFW content)

[1] https://keybase.io/

[2] https://securitytxt.org/

IANA maintains a registry[1], but there are some notable absences. Your change-password is one example. Apple has at least one[2] and probably more URIs coded into Safari that aren't listed.

[1]: https://www.iana.org/assignments/well-known-uris/well-known-...

[2]: https://developer.apple.com/library/archive/documentation/Ge...

EDIT: typo

Nextcloud uses it for at least three purposes: /.well-known/carddav (redirects to contacts), /.well-known/caldav (redirects to calendar), /.well-known/webfinger (for discovering users via ActivityPub).

I try to prune my passwords of obsolete or unused accounts about annually or so, making it a much simpler task.

One of my pet peeves is a site that lacks a 'Delete Account' option.

I really like this "well known" "change password" scheme... Hopefully that gains traction!

Just send a GDPR request.

Try doing that on HN.

Does that actually work for websites and users not in Europe?

Doesn't hurt to try.

I have yet to prove that I am European when submitting requests for data and removal.

Are you saying that those DSARs are leaking data then? Because if they don't sufficiently check whether you're who you claim you are then that sounds like a great way to collect personal data on someone.

So far it seems that a the "sender" field in the email is enough.. I suspect they would do it with a reply-to: header as well so yes many are probably leaking in this way.

It's a bit different for the companies that operate using a SSN of course.

Relatively off topic but I didn't know about BitWarden and stuck with LastPass since it's the only one that didn't have particular limitation for free users but I find it a bit cluncky. BitWarden looks amazing and I will definitely give it a shot!

BitWarden is much better than LastPass and Dashlane IMHO.

LastPass's UI has much to be desired and is quite buggy.

Dashlane has a nice UI but I find it much too slow and there were times that their extension would just freeze my machine (tried multiple devices). Also was quite buggy too. Not the cheapest either.

Bitwarden seems pretty solid though, it's cheap for the premium service. Has a nice UI too. Their iPhone/Android apps are decent also.

I just switched from LastPass to BitWarden and I am so happy. The LastPass admin panel was so slow and clunky and BitWarden is the exact oposite. I highly recommend switching. (I know a password manager is more than just about the interface but the UI is important to me.) The browser plugin and mobile app have also been working flawlessly for me.

I'm sure this will trawl up some anti-google opinions, but I've had a good experience with Smartlock. If you're bought into the chrome ecosystem it works very well. I'm aggressive about getting rid of old accounts and probably only have 40-50 current passwords in it. I like how reliably it fills in login forms and I also like being able to hit passwords.google.com on any device. Of course I also pair this with a very strong master password and MFA.

Bitwarden has been nice. I migrated from 1password and while I can easily recommend both, I think I like Bitwarden more, especially on Android where the fill service works more consistently.

Bitwarden uses an electron app. For that reason alone I could never switch to it.

What do you even need the app for? You can just use the browser extensions. I also just tried the desktop app and it's not too bad for an electron app, not particularly good either tho.

Is using electron/chromium an actual problem? Assuming it works, would you say the same thing if it was made in winforms on .net framework 3.5, or something as old as Qt 3?

It's one of the better electron apps I've used. I also like to avoid them (actually you can just run the website in a browser), but "open source" definitely is far in front of "doesn't use electron/any web tech" in my list of priorities.

The app itself is not strictly needed except on mobile where it's not electron. The browser extensions are free-standing. I don't use the app.

I just checked my LastPass acct... I have over 1600 passwords saved. I don't see this as a problem. It doesn't slow anything down, it doesn't add complexity to my life. It's not unsafe in any way. It's fine.

To 90% of my online accounts I just do the reset password flow every time I need to log in.

Most accounts I use a few times a year I don't care for the overhead of remembering of dealing with a password manager to save me a few minutes every year.

And yet, Mozilla's Persona project died. It still makes me sad

So we don't actually need passwords. For many services magic links are better (imho)

I'd prefer to be able to sign up for things without giving out any contact info until a service proves useful enough to deserve it. Also, what happens when your email account gets closed unexpectedly? You'd have to give multiple forms of contact to avoid problems. Fine for stuff like banks, but not for cool-new-service-of-the-day.

Use your own domain and just switch email providers?

Yeah, it costs a bit and requires some understanding, but at least among the HN crowd that's not an unsolvable problem.

For most services I totally agree, magic links to email accounts are better.

Lot's of people seem to be concerned over the "single point of failure" that provides, but honestly for most of these accounts if I lost access to them, then I'll just make another. Heck my username is admax88q because I forgot/lost the password to admax88.

I really don't care if worst case I have to make new accounts for Newegg/Aliexpress/Amazon/Medium/reddit/HN/twitch/dailymotion/(insert random startup app I'll probably only try once)

The problem with magic links is that it makes your email address a single-point-of-failure. It's also a rather inconvenient workflow having to switch to another app or webpage.

Email is still the biggest single point of failure for almost every account, excluding things like Apple with 2FA and (good) banks, even without magic links being a thing.

I do agree that it's inconvenient to have to switch to another tab/window whenever you want to log in though, this is a problem solved with password manager browser extensions.

This is what OpenID was supposed to solve - you can have one password, on a site you own, that is your master key.

The problem is that every implementation is 99% the same and 1% WTF, so the concept never caught on. So now we have FB and TWTR and GOOG and no other options.

I can't say it has caught on, but there exist _some_ sites where I can login with my own website. https://indieweb.org is a good example of that.

There are also tools like https://indielogin.com that make it easier to add support for that to your own site.

I have 808 passwords, all unique. All stored encrypted in KeePass with an easily remembered but complex password as well as a 1K key file to access. The key file was copied via sneakernet from desktop to laptop, phone, and tablet. The password database is as well (which does add some security for some inconvenience), though I may switch it to a cloud drive at some point as I have setup for others.

This setup is free and more secure than a cloud-hosted service. It also never goes 'down'.

You could have two password databases: one with less important stuff that you sync through the cloud and another one with the very important stuff that never touches the internet.

I'm amazed that so many people who are otherwise smart do not use a password manager. I have been sitting with friends and one says "ugh. I hate when you can't remember a password and have to reset it." I suggest using a password manager. It is easy and takes less than 5 minutes "ugh. Sounds like a hassle..." and none of their pics or personal data are backed up either. Grrrr...

Yup, I started using one, and now I only need to remember one password, and the rest of my passwords are as random as possible. If I forget that one password, I'm pretty screwed, but at least I'm not reusing the same password in multiple places.

I honestly think it's irresponsible to not use one these days...

While waiting for /.well-known/change-password to happen, there's a project [1] that already enables automating password update on many web pages.

[1] https://github.com/ddevault/pass-rotate

I’m a bit over 400 passwords, the password vault was a game changer for me, so I have 400 unique passwords. I think the next big leap will be having 400 unique user ids, but that is not feasible today since most sites want you to have a verifiable e-mail and most email providers are still doing the 90s style - one name is one account even though most email providers don’t charge any longer (I love you Proton Mail but your about three decades too late, no matter how awesome your security is, need to rethink your business plan).

It’s not really painful to search through 800 passwords when logging in to a website. I have a similar sized 1Password database - actually, just checked, it’s 895 - and I’ve not once had issues with it.

Just another person looking for something to complain about.

I feel a lot better that I only have 123 passwords in my vault now, and some of those are definitely duplicates.

Spring digital cleaning is going to become a thing very soon.

I don't think so because unlike physical space, virtual space is borderline free and getting cheaper. What is the cost of maintaining a database of 800 passwords? The same as one with 80 passwords.

Yep, and there's ease of expansion, too; if I want another hundred square foot of space in real life, I either need to get a new place to live or start renting storage units which is a huge pain. If I wanted to add terabytes of storage to my digital existence, I would go to the store and spend like $200 for an absolutely massive amount of storage. And a mostly full house is a pain to live in, but a mostly full hard drive is at worse a modest inconvenience to search through (well, if you're really low on space I suppose writing is annoying).

And a Marie Kondo-like strategy for determining which of your subscriptions/memberships/accounts "spark joy".

You use a password manager.

2,067 at latest count... (I know it’s not a competition, but interesting none the less).

Doesn't trust centralized logins but trusts password manager...

The difference is that you control your data with the password manager, not a third party that can be bribed or coerced to grant access on your behalf or to hand over data associated with you.

Okay, but still, your pwd manager could get hacked

Completely different threat model. Unless you use an online password manager, the only copies of the file are on machines you control. Plus the file is encrypted and requires a password that only exist in your head. So now you need physical access and physical violence to break that scheme.

As always, using a second factor like yubikey is also a good idea. Unless your that guy who leaves the key plugged into his laptop all the time. I think I’m going to go around the office one day and replace all the yubikeys I find with Hersheys miniatures chocolate bars.

If one uses Windows one could get hacked any time. Global pwd would be stored in RAM. But yeah if you're a security freak on Linux it's a good idea !

OpenID isn't built like that...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact