Hacker News new | past | comments | ask | show | jobs | submit login

> Doesn't it somewhat defeat the purpose of using a password manager if you use one account to sign into multiple sites?

Yes. Password managers exist to solve the problem of credential reuse; third-party login exists to implement credential reuse. They are fundamentally opposed.






The credentials are at least not in multiple databases and stand some chance of being more secure, so it’s not as bad as with direct credential reuse, but yes, if you do compromise that one identity provider you’re in big trouble.

With Social SSO, you essentially are passing the trust from some random company getting hacked and revealing your re-used password, onto the shoulders of internet giants like Facebook, Google, Twitter, Apple, etc and putting the trust on them, that they know what they are doing in terms of security.

I still agree that they are variants of the same fundamental problem (a single credential protects all of your logins) and that Password Managers are a vastly superior solution to this problem.

But it is worth pointing out that for the layman, using Sign in With Facebook/Apple/Google, is better than single credential re-use.

When I say "layman", I mean people like my mom and grandma. I have tried to get my mom to use a password manager (went as far as to set it up for her, and pay for it) but she just reverts to a simpler solution (which is Social SSO). If she weren't using Social SSO, she would be using her same Facebook password for every site on the internet. So as much as I personally loathe Facebook, I do trust Facebook for securing my Mom's credentials far more than the random scrapbooking website she is creating an account for. In this case, I am grateful that she is using Sign In With Facebook, even though I would never consider such an action for myself. So it is a small step in the right direction.


Aren't password managers, especially cloud-based ones like LastPass, also the same thing: they hide all your passwords behind a single master password (and a MFA optionally).

Granted, their only job is to secure your passwords, but it's effectively equivalent to a single SSO service from a protection standpoint (if all your accounts would accept that SSO login).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: