Hacker News new | past | comments | ask | show | jobs | submit login

>My password manager is usually pretty good at letting me know if I've got a "normal" account with user/password, but it doesn't do anything to remind me if I ought to log in with one of the other services.

Doesn't it somewhat defeat the purpose of using a password manager if you use one account to sign into multiple sites?

Sign on services from main accounts seem like security flaws. If you use one main account resonsible for all your 'main things' to sign in to all the 'other things' that gives one vector of attack to enter or compromise 'all the things'.

Password managers exist to make the management of many things as easy as one thing, not to adapt to using one thing for everything, that's pretty much the opposite of what a password manager does.

Sign on services don't exist for convenience, despite being marketed that way, they exist to increase data collection abilities. Password managers exist to make using multiple accounts as easy as using a sign on service, that's the point. They should be separate from existing providers. They are an alternative to them.






First of all, you need a password manager no matter what even if you use Facebook etc., because not everybody supports Facebook etc.

Second, it often still takes a lot of work to create a new account on a site, even with a password manager. Selecting a username, discovering it's taken, selecting another one, generating a random password, pasting it into a second field to confirm the password, unchecking "send me updates", going to my email to find the confirm link, blah blah blah.

If I just want to do something quick on a site (like see a Quora answer or Medium post), it can be far easier to just click "log in with Google" and see the content in 5 seconds rather than 5 minutes while you wait for the damned account confirmation email.


The username dance is why I often use a random string as a username. I was delighted to discover that my first name was an available username at my bank, until my login kept getting locked due to too many failed login attempts. I had a 15-character random password, so no danger there, but repeatedly calling to have my account unlocked was a pain. I changed my username to a different 15-character random string, no problems since.

Tangent: I signed up for a US TD account recently (in person). They had me write down the username I wanted, so I used LastPass on my phone to generate another random username. They obligingly made me an account with username "ajdgsbrjcobsdhfwvfk" - and password "tdbank123". Yes, I was required to change it on first login, but no, there was no attempt to verify that I was the one doing the changing (birthdate, SIN, etc).


> Doesn't it somewhat defeat the purpose of using a password manager if you use one account to sign into multiple sites?

Yes. Password managers exist to solve the problem of credential reuse; third-party login exists to implement credential reuse. They are fundamentally opposed.


The credentials are at least not in multiple databases and stand some chance of being more secure, so it’s not as bad as with direct credential reuse, but yes, if you do compromise that one identity provider you’re in big trouble.

With Social SSO, you essentially are passing the trust from some random company getting hacked and revealing your re-used password, onto the shoulders of internet giants like Facebook, Google, Twitter, Apple, etc and putting the trust on them, that they know what they are doing in terms of security.

I still agree that they are variants of the same fundamental problem (a single credential protects all of your logins) and that Password Managers are a vastly superior solution to this problem.

But it is worth pointing out that for the layman, using Sign in With Facebook/Apple/Google, is better than single credential re-use.

When I say "layman", I mean people like my mom and grandma. I have tried to get my mom to use a password manager (went as far as to set it up for her, and pay for it) but she just reverts to a simpler solution (which is Social SSO). If she weren't using Social SSO, she would be using her same Facebook password for every site on the internet. So as much as I personally loathe Facebook, I do trust Facebook for securing my Mom's credentials far more than the random scrapbooking website she is creating an account for. In this case, I am grateful that she is using Sign In With Facebook, even though I would never consider such an action for myself. So it is a small step in the right direction.


Aren't password managers, especially cloud-based ones like LastPass, also the same thing: they hide all your passwords behind a single master password (and a MFA optionally).

Granted, their only job is to secure your passwords, but it's effectively equivalent to a single SSO service from a protection standpoint (if all your accounts would accept that SSO login).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: