Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: I have 176 logins/accounts. How many do you have?
185 points by bojangleslover 14 days ago | hide | past | favorite | 293 comments
Here is a screenshot of my Bitwarden: https://imgur.com/a/UdG7Inb

They include some really important things such as:

Health insurance G-Suite for work Bill.com (which I use to get paid) IRS.gov (which I use to get un-paid) UK Companies House Register Interactive Brokers My bank

Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.

I'm asking because of how insane auth has become. I know companies like OnePassword and Bitwarden are working on this and overall they do a great job. But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.

The only really good auth feature I've ever encountered has been Apple's "fill from Messages" feature as well as their Touch.

If I need to login to your site less than once or twice a year, "Forgot my password" is my password manager. Personally, I feel that the utility of me working to keep and maintain that information in a database for high availability is essentially zero.

As a result, I store very few accounts overall and checking out as "guest" hasn't been a problem of any sort. There's like 10 critical things that I feel the need to store the password on and they all use a hardware key for 2fa anyways.

For the two accounts that I absolutely can't lose access to, I just used the "Correct Horse Battery Staple" method and came up with two very long and secure passwords that I have no trouble remembering.

I don’t think there’s really any “maintaining” to be done when I sign in to a new service that I won’t be using often. Complete the sign-in page → Bitwarden asks me if I want to save the credentials → click yes. That’s it. I can auto-fill that the next time I log in.

For websites I really don't care about, I just get a disposable email on dropmail, and copy paste the email address to both the email and password fields to save time. Surprisingly, some websites check this and won't allow you to set your password to your email, but removing the last character or adding a 1 at the end works around it.

Why even go to that much trouble?

If it’s truly a throwaway I just use an email address like shitsinthewoods@mailinator.com, grab what I need, and go on with my life. If I ever happen to need to login again, I’ll just send a password reset to the mailinator address and once again carry on with life.

There are a lot of services that disallow email addresses to services like mailinator. That's why I stopped using them, and instead, I have a special "garbage" address on my mailserver.

Problem I find is being sure I "really don't care about it". Sometimes sites become more useful than I expect, etc etc.

problem is that sometimes these websites takes forever to send password recovery email.

especially if they use some sort of cheap cloud service to send email/sms, then it can take 15-20 minutes to receive password reset link

have you not encountered cases like these?

The problem usually isn't that it's a cheap cloud service, the problem is usually that their cron task is hourly, or more commonly, their scheduled tasks depend on a non-cached page of their website being hit (how people generally mismanage WordPress), but traffic is of course inconsistent.

It happens. There's always a compromise to make depending on the hassle to reset the password.

GoDaddy is one example.

I just use a crappy password. It's been leaked before. I don't care.

If someone wants to take over my last.fm account that I haven't used in 3 years, sure go for it.

The important accounts get a randomly generated password stored in my password manager. And the really important accounts only have half the password saved, I manually fill in the other half.

I guess that's kinda fine, but there are at least two reasons to not do this:

- Access to any of your accounts could make impersonation easier. You might not be the one who suffers from whatever they do. Or if they can assemble enough PII, you might unexpectedly have a line of credit taken out on your name.

- Many websites use some form of federated login, or a crossover kinda situation where you have a username/password login that is linked to eg a Google account. Access to the username/password account could open you up to an attack on the juicy targets.

Personally, I'd rather none of my accounts are easily compromised, but that's a pipe dream - it's not up to us to secure the services we use. So best thing to do is just use a good password.

It's easy these days to use a good password, though I acknowledge still tedious/impossible to update all of your services.

> Many websites use some form of federated login

This one's easy. Don't use federated logins for anything. They're a bad idea.

Why save half the password, versus not saving any of it at all? Is this because the password is very long and you just want to save keystrokes?

It's a lot easier to remember the second half if you know the first half (if it's a password and not a passcode)

Half of the password is randomly generated, the other half is something I add that I can derive easily (think last 5 letters of the website reversed, etc.)

That way if my bitwarden gets compromised, attacker still doesn't have my gmail, bank, etc. logins

It adds a little bit of security while being mega simple

Rofl my reaction to this was the same as when a friend complained about his todo system complications and I told him “why not email yourself”.

Simple and genius. Why am I managing all these extra passwords?!

Checking out with guest is okay, as long as you are judicious about not deleting emails.

I often order something and need to login and retrieve the order info for a return or warranty information. Or if I’m ordering an item or similar item and want to refer to prior purchase. And some ordering website absolutely do give good order tracking for Guest checkouts. We have no covered entry, so like to know when our packages will arrive if it is raining.

Yeah, I'm the same. Google and a few others. The rest all just get the new password that Firefox suggests and I don't even pay attention to what it is.

A password manager is not just a way to manage passwords. It's also a way to manage who holds your personal data, so you can GDPR request them to stop.

This. It's so valuable just to know how exposed you may be. I know a guy who missed a data leak and later got one of his accounts stolen. I think his Steam? It was way back in the day... For him, it was a cheap reminder to take passwords hygiene seriously. For someone else, it could have been a someone-took-out-a-line-of-credit-in-my-name reminder.

If I haven't used your website in the last 15 minutes and you have unconventional password requirements, I'll be logging in via email :)

Around 300 at this point, sans any deleted ones. I don't think I know a single password anymore, since they're all randomized and separate for each site.

> Obviously, anything with OAuth is "bundled" into my Google account.

Maybe it's just me, but I try to never use centralized identity providers (outside of things that I really don't care about) and use separate e-mail auth whenever possible, across multiple e-mail accounts (some self-hosted). Same with considering separate Google accounts for phones, services like e-mail, a separate one for any content creation on YouTube and so on (ideally without any of them coming in contact with one another).

The idea is that one account getting closed/suspended shouldn't result in ALL of the linked stuff becoming inaccessible. I don't even do anything weird online, it's just that nowadays you hear lots of stories about people getting banned based on some heuristics by automated systems, with no ways of getting in contact with the support. Even something like a VPN might trip those systems up. Similar things have happened to me before (a SaaS provider didn't want to do business with me) for no good reason even without a VPN, but trying a year later with the same credit card didn't result in the other account being auto-suspended. How odd.

I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. That said, I largely believe that privacy online is mostly dead due to how much fingerprinting there is, though one can still protect themselves from automated systems acting weird, because nobody genuinely cares about that, at least at the scale where they're needed.

> people getting banned … with no ways of getting in contact with the support

This is the most out-of-whack part in my humble opinion. Most of us have a tremendous amount of data and things like auth tokens tied up in Google, and Apple, and due to their scale and the fact that at least for GOOG it’s a “free service,” they’ve set the expectation up that “support” should be limited to searching an FAQ, and also that any account they ban must be some kind of troll account that shouldn’t be listened to. God forbid they give you a phone number where you could bother a person until your problem was solved.

Using ad-supported services for vital stuff is risky. But I know even Apple isn’t very helpful, even for those of their iCloud users who pay.

Google cornered themselves: I’d never give my credit card to Google. I switched to Apple precisely because I have my emails in Google. Even if both had non-support, it’s better to at least not have to report credit card fraud against the company who also has my emails…

I still think this is a bad idea. I never use oauth logins and believe the convenience isn't worth the dependence and security risk at all.

Exception are my work accounts. Here I am public anyway, so what gives. I think there still is a huge risk of industrial espionage, but anyway...

at least they now let download all datas when they ban an account(source: two weeks ago they accused me of being a bot, still waiting for a response to my appeal but meanwhile i've been able to download my stuff)

Agreed, enough horror stories have kept me away from using Google as OAuth. The only value I see in it is as part of SSO for employee accounts. Employee leaves and revoke access to everything.

Similar, around 290 personal accounts. In addition comes the logins and such for various internal services like Home Assistant, PiHole etc. Total over 400 in my password manager.

I keep wishing for something better.

A great start would be to reduce friction, by having some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.

> some standardized interop between browsers and a password manager. Like, my browser shouldn't know or care about passwords, it should just mediate the authentication request to my chosen password manager through some standardized means.

This way lies dragons. Browsers are among the most complicated software that most people run on their machines these days, and the number of bugs lurking in them is probably large.

I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager, or using xdotool or hammerspoon to type them in.

> I don't use any browser plugins for password managers, choosing instead either to copy/paste them by hand from my password manager

This is my practice, but I take it a step further. My passwords are stored in a non-networked password manager on my phone, not on any other machine. So when I need to use a password, I can't copy/paste. I have to type it in by hand.

I want maximal disconnect between my password manager and anything that uses passwords. And I never use SSO stuff, because I don't want anybody involved in authentication aside from me and the thing I'm authenticating to.

Well, the alternatives you mention are all prone to keyloggers or similar.

If you take say OAuth/OIDC, the only thing the browser needs is the token. It doesn't have to be involved in the authentication at all really, it just needs a token it can send as part of the requests.

Of course this requires that the site uses OAuth/OIDC, but hopefully that's where things are headed.

I don't disagree.. but I stopped really using oauth when realizing that I could lose access to all those services if the whim of an algorithm closes my (oauth) account.

Right, but using OAuth doesn't mean using Google, Microsoft or Facebook for everything. It's common cause it's convenient, but has issues like you say.

Someone running a Discourse forum could very well run say Ory[1] to have their own OAuth2 authentication service, if they wanted. Hopefully things like this will get a bit tighter integrated than it currently is.

[1]: https://www.ory.sh/run-oauth2-server-open-source-api-securit...

Quite the contrary, having the browser be the password manager is the way to go, and it works well today.

My only complaint is around data portability. Exporting and importing passwords should be hassle-free.

I have about 150 accounts, though some of them are logins for vendors I dealt with once, a decade or more ago.

> I guess the next step would be to have usernames, phone numbers and even payment methods (apparently virtual credit cards sometimes work) also be more randomized and more compartmentalized, though something tells me it'd be a pain to do that. --- I do that. It's no trouble. I use various usernames to 'fuzz' tracking. Yes, anyone who really cared could track me by my IP address, but trackers are like whales sieving krill; they get so much, they don't bother to look very hard.

Not even banned, one of the games I play just put out an announcement that Twitter login support might be dropped soon because of Twitter's API changes, so you better associate your account with email soon.

176 sounded so low to me I wasn’t sure if you were talking about for all sites or just HN alts.

I'm probably the one with the least.

I have 35 in my password manager. I purge the ones I don't need every 2 or 3 months. I even gave away GOG and Steam accounts to friends after years of not playing games.

Sometimes I have to send a threatening email to delete some accounts. Currently there's about 2 I'm waiting for an answer.

It's gotten worse lately: people just don't delete your account anymore :D. Because of that, I use "hide my email" and put fake personal data pretty much everywhere now. When I REALLY don't care or am just checking the service, I use a burner email.

I honestly wish I had close to zero. I really hate SaaS and I really hate websites that require a login for stupid stuff (like... a barbershop that needs login/password for scheduling haircuts? fuck off).

I'm confused about what you're fucking off. Would you prefer to schedule haircuts via a call or an anonymous online form?

Being able to schedule appointments online is one of the big wins of modern life imo: it beats waiting around on hold and laboriously explaining to the receptionist how to spell my last name.

Restaurants get the online reservation thing right, usually. With other local small businesses, it's very hit or miss and you are better off calling unless you know for sure their online system actually works.

I made an optometrist appointment online recently. Their online calendar showed which dates and times were available, so I picked the closest one which was still a few weeks out. I got an email immediately after and a text message confirmation the day before. When I went in at the correct day and time, the receptionist told me I wasn't anywhere in their system and they had no idea there was even an online appointment form. (Yes it was the correct business and they only had one location.)

My guess is that they recently paid for a website which included online scheduling and integration but someone forgot to flip the switch that sent the appointment to their scheduler.

I've seen that sales funnel (selling to the business, not to you) from the other side, integrating some "request appointment" UI where your click supposedly sets some back-office in motion that asks for an appointment with the business that might in fact never had contact with the intermediary before. Then later the sales squad will drop in arguing that all those appointments are revenue that they might lose if they don't become a customer to the full version of appointment tool.

This is not that bad in the beginning (though certainly not good!), the hopeful customer won't be promised anything before the appointment is actually made. If the presentation is sufficiently clear about the appointment hunt not really being over before confirmation it's not that bad. But even when started in a rather benign form, these things can quickly turn nasty, by skimping on the back office and/or "streamlining" the UI into a presentation that isn't clear at all about nothing being committed yet. And I'd also imagine that unscrupulous competition might be tempted to fake-register with the service in some zero-cost tier, effectively black-holing all appointment request to let the resulting Google/yelp/whatever zero star reviews ruin their competition. Which points us to the deepest tier of darkness, the appointment service knowingly claiming to have made an appointment when they haven't, betting on more of the fallout hitting the small business than themselves and using that to coerce them into buying the service (essentially a darker form of what yelp was famous for).

> Would you prefer to schedule haircuts via a call or an anonymous online form?

Why the hell no?

At worst "an anonymous form" can ask for your mobile number only to remind you about the appointment (if it's not today for example). At best it should be really optional. In both cases there is absolutely zero need for both a login and a password.

I have a local pizza joint working like that - you just punch in what you need, your number with SMS code confirmation and you are in, with your address/es and pizza coins or whatever. And they have your number to contact you if anything is wrong with the order/delivery.

Another one just asks for a number and call back to confirm with an operator.

Why the hell I do need a login, a password and email|Facebook|whatever for a pizza delivery?

I want to pick a particular barber at my shop. They also need to know that I’m not a prankster who books a bunch of time slots with no intention of showing. Providing a mobile number (which needs to be confirmed) is a good way to accomplish both. I don’t get any spam from my shop, and would definitely complain if I did. But right now it’s a system that works really well for both of us.


i can make appointments for my country's embassy by picking a time slot and giving them my email address. confirmation then comes by email. no login and password needed.

Neither. I can already schedule in other barbershops, make government appointments, book hotels, purchase food, order guitars online, and several other things, all online and without a login/password. Not anonymous, just doesn't involve an account and a password.

I'd like to do this there, too. I sorta already do: I use "hide my password" for their website and delete it after the appointment.

There are things that work anonymously (or at least pseudonymously) already: pizza delivery or hotel booking. It's not like the data presented at a random registration form has to reflect your government ID. Skipping the login step just saves the hassle, and preserves the win of being able to do things online.

Exactly. Purchasing with a guest login works fine for most shops here.

In this specific case I was talking about it's even worse: I already have to click a link in the email (or answer an SMS) to confirm the appointment. It's ludicrous.

> Would you prefer to schedule haircuts via a call or an anonymous online form?

I 100% prefer to schedule appointments over the phone. That's never gone wrong for me, where scheduling online has gone very wrong quite a lot.

a barbershop that needs login/password for scheduling haircuts? fuck off

If it takes reservations, it's not a barber shop. It's a beauty salon.

That may have been true 10 years ago. Today, it just means the shop is using some popular booking SaaS to get exposure, as a good chunk of would-be customers don't even use web search engines anymore for this - they go to the usual booking site and type in "barbershop" or whatever, and pick from the list there.

Well excuse me for wanting to know that my barber has availability before I walk in

Telling "Beauty Salons" to fuck off has been the correct answer for 20+ years. The reasons may change (actually, they only get added to), but the reply stays the same.

The elites don’t want you to know this but the accounts on the Internet are free you can take them home I have 458 accounts.

Every time you "log-in", you're increasing your carbon footprint :-)

Most of the logins are sequestered in the password manager, for which I get a moderately decent subsidy from the government.

Shit, just looking at the replies, there's a solid case for password managers. No normal human is going to memorize 100+ unique passwords meeting various complexity requirements. It almost makes shaming people for re-using passwords look like you're out of touch. Of course they're following bad practices, how could they not be?!

This. And password managers can do more by constantly checking latest account breaches like on https://haveibeenpwned.com then flagging it to their customers to rotate their credentials.

There's a case for that even if you just have 5 important accounts. If the account matters, give it a long random password.

There's an unfortunate correlation between how long and complex my password is and how I often I have to manually type it in. Microsoft are really good in this regard, and you almost never have to type in your password once you have the Authenticator set up. Google isn't too bad, once you're logged in, but you still sometimes have to type out your password in a situation where having access to your password manager is not convenient. But I find Apple is the worst - I often need to type in my password, and often in situations where I don't have access to my password manager.

IIRC, Treasury.gov makes you enter your password by clicking buttons on a virtual, on-screen keyboard. Ugh.

They finally removed the virtual keyboard.

Do you remember when it was a random layout virtual keyboard? Good times.

Since when? As far as I know they still have the virtual keyboard and it was never random. They used to have a random seed physical card.

May 2 of this year, they posted a notification that the virtual keyboard would be removed the week of May 7 "to improve the customer experience."

They removed it approximately two weeks ago.

Thank god.

> . No normal human is going to memorize 100+ unique passwords meeting various complexity requirements.

No, they're either going to reuse their passwords or use post-its or excel.

> It almost makes shaming people for re-using passwords look like you're out of touch.

Shaming regular people for reusing passwords _is_ out of touch.

It's a solid case for FIDO2 keys.

- Inherent MFA that is faster and more secure than SMS codes, or app notifications.

- One pin code and/or biometric to remember rather than hundreds.

The answer isn't to add another layer of management to passwords, but to eliminate passwords as a method of authentication.

This. This is the only thing that actually solves all warts of authentication nowadays. Companies really should switch to a webauthn-first mindset. The technology has been here for over a decade, it's not new. There is a standrad and a library for every language, it's not hard. FIDO2 keys start at 20 bucks and every android phone can act as one, it's not expensive. They are literally the only thing that can actually protect you from phishing and they generate new login creds per domain, protecting your privacy. Companies, support webauthn!

I find those keys immensely inconvenient, though. I used them for a couple of years, but finally gave up and went back to long, randomly-generated passwords.

Yep. Password managers are quickly becoming a required utility for modern services. And oh how painful it would be to lose that. I memorize maybe 10~20 passwords. And I sometimes mix them up in my head as I type them too.

It's why we always laugh at anyone who says to "not reuse passwords".

Or a solid case for alternatives to standard username / password login concepts.

I take a pragmatic approach: the dozen logins in my life that actually matter get strong unique passwords, and everything I don't give a shit about gets the same password.

I don't know if I agree. A password manager is more pragmatic even for just a handful of accounts.

Whether it is safe or not, people can argue, but more practical? It definitely is.

It's not pragmatic, it's dangerous.

Sooner or later someone could take control of one of the accounts you don't care about and use in a way you don't expect to gain control of things you do care about.

> use in a way you don't expect to gain control of things you do care about

An example would really drive your point home. Can you provide one that people would deem "dangerous"?

Edit: ccooffee just mentioned in the thread that you could be de-anonymized by reusing the same password. Is this what you mean? There's a spectrum of comfort with privacy so maybe that's the source of the disagreement between whether it is important to have unique passwords or not for accounts that don't contain financial/SSN/medical/etc information

Socially engineered hacks are also a danger.

You might not care about what's contained in a certain online account, but there could be utility in taking control.

Beyond my accounts related to my important email addresses, Steam, finances and medical which can all be counted on one or two hands, I really couldn't give a damn about the other accounts or their password security.

Strong and unique passwords for the important accounts, simple and reused passwords for the rest. You're welcome to hack into my accounts on Hacker News, Reddit, Discord, LINE, various IRC networks, various forums, etc. I don't care; there's nothing important in there besides sentimental value.

On its own, the information in those private accounts is probably not interesting. I used to use the "few sites get a unique and secret password, but most reuse the same 10 character one" ruleset, but I became worried about how much data could be aggregated about me. By re-using the same password, I felt like I gave a simple test that attackers could use to definitively confirm "user XYZ on site ABC is the same as ccooffee".

I'm now firmly in the "everything gets a unique password" camp. There are 4 important passwords I type myself, but everything else is in a password vault.

I take the same approach with the extra precaution that those logins also get a separate email address (with a different pseudo-strong password). Makes it really easy to share nonsense logins with my wife/family.

That's how I lost my Twitter account. Using a PW manager only for the non-important accounts is a definitive improvement at a very low cost.

I created a HN poll: (Underutilized feature)


Sorry about the (lack of) order. Looks like it's randomized? (feature)

The most infuriating auth-related thing for me is the companies that insist on doing phone-based 2FA. I'm inextricably linked to my specific phone number at this point in a way that previously was only an issue with my email address.

This. SMS 2FA has been considered insecure by NIST since 2016 [1] and it's a major pain when travelling and swapping sim cards.

[1] https://www.theregister.com/2016/07/24/nist_says_sms_no_good...

This is a beautiful catch-22 because when you can't use your SIM is also when they decide your location is too different and you must be reauthorized. The same for anti-fraud text messages, which are nice when you're home but useless when you're out of country.

Why can't I set up an Authenticator again?

I was thinking this with my health insurance website (which uses SMS 2FA), and I realized the problem is you can't expect your average Joe to know how to manage a TOTP 2FA correctly.

SMS might not be the most secure, but it's probably better than 1FA, and absolutely everyone can use it. Enter your number, receive text, boom.

There are other options though Couldn't a health insurence company make an app? Or do SSO trough google and such? Webauthn is really easy!

Controversial opinion: If you are given all these options and you cannot/refuse to use them, you shouldn't manage your insurrance trough the web. Either you are wholly computer-illiterate, deeply misinformed or you are not educated enough to use it safely.

Of course, the main issue is that companies only give SMS 2FA as an option, or only one other, like the App method, which forces users without phones to fall back to SMS. Worst part is that especially financial institutions are guilty of this.

The best solution is to create a Google Voice account and use that number for 2FA

Until Google decides to retire Google Voice...

Many MFA implementations will detect and disallow the use of VoIP numbers... for security reasons.

Yep, and this is because sim-jacking is actually less profitable than just finding records of people’s _past_ phone numbers and signing up for a voip service that supports sms for that number. And many of the voip providers just don’t do any kind of fraud prevention.

Source: I work at a place that is a natural target for this kind of thing.

I had that issue when I left a (15+ year) job with a company that owned the phone number I'd been using for both work and personal. Justification being that this was waaaaay back when mobiles were just becoming ubiquitous; Nokia 3310 days.

Not just the hassle of re-connecting the accounts, but even knowing which ones were inextricably linked to the phone number to which I no longer had access.

(I think I could have requested the number personally, but I wanted to make a clean break, and having a new phone number meant I was much more difficult to contact for any legacy issues I no longer cared about - double-edged sword)

With a version controlled password store you can do silly things like this:

  $ gource … ~/.password-store | ffmpeg … password-store.mp4
  $ publish password-store.mp4

well that's fun

940 in 1Password (I feel a lightweight that I haven't hit 4 figures yet). Stopped fighting a while back and signed up to the cloud version instead of just having Dropbox backups, partly to help onboard my family better. Haven't regretted it yet, obviously will do if/when I find out all my stuff has been hacked but blah.

Don't have numbers for my work machine upstairs, but on my phone here's how recently they were all used:

1 Day: 1 2 Days: 1 14 Days: 3 30 Days: 3 60 Days: 8 90 Days: 6

So, mostly cruft. I have a lot of stuff still done via Google auth, despite migrating all my domains and email to Fastmail couple of years back (which has been flawless since). Also, just checked, and I only have 27 entries in Authy.

Why keep score? If you have a password manager, the number is irrelevant. But: KeePass 2052. Cheating because I work for an agency... so we have hundreds of clients' passwords to store and selectively distribute to the team.

Agreed. This is utterly baffling question.

You might as well ask me how many grains there are in my salt shaker.

Interesting academic question, but seeing so many people climb on their soap box is wild.

i don't find it to be a baffling question. i think the unspoken part of this is "this is a really stupid system, someone ought to do something about it". i hope in the next 20 years that password managers are a thing of the past, but for good privacy-preserving reasons.

Wasn't the passkey article just front page the other day?

Interesting question! I just checked and, wow, I have 922 accounts in 1password. (From 10+ years of use.)

It’s funny you bring this up because I’ve thought about “cleaning up” 1password before. But all the extra accounts are not really in my way.

I never use oauth (like to create a new account / password for everything). All of my work-related accounts are in there from several employers. Lots of passwords for (probably dead) servers. I count 28 logins for salesforce.com from past employers, various sandboxes, and consulting gigs.

The archive feature is nice for cleanup. It doesn’t delete, just hides from lists and searches. I’ve un-archived many items before.

> I never use oauth (like to create a new account / password for everything).

Me too. I have 672. Lots are for accounts I set up for nieces/nephews, etc., so those don’t really count. I bet 100 are stale as well I’ll clean them up one day. Lol.

I would not expect any true innovation to come from companies such as 1Password or Bitwarden. They make money off authentication being so craapy that an entire class of applications has sprung up around it.

They will not innovate themselves out of existence.

1259 on 1Password! https://dl.dropboxusercontent.com/s/4ug9qyk67z9pkml/Screen%2...

Still using 1Password 7 and its self-hosted vaults with the 1Password app denied all network access.

This is good reminder that I should login to all my old Google accounts to keep them from being deleted since Google is finally making moves to erase accounts unused for over 2 years. (especially given how it's always getting more difficult to create new G accounts)

    $ pass | wc -l
17 of those are encrypted notes (API tokens, license keys, etc.).

`pass` is a command line password manager: https://www.passwordstore.org/

  % bw list items | jq length
I used pass for years, but eventually quit when needing to rekey the gpg stuff for the fifth time and it being a pain to provision another key for passforios. It looks like there's some work to let pass use age for crypto instead of gpg, but I don't know if that's been ported to passforios or any of the other pass-compatible mobile apps.

Pass using git as its storage backend doesn't make a whole ton of sense for me. It's convenient enough for syncing if you use a public git host, but it's got a lot of unnecessary power. More than a few times I had to merge by hand when I had changes from both my laptop and my phone.

I use vaultwarden these days and it's pretty great. I wrote a (gross, ugly, but that's fine because I used it exactly once) thing to migrate from pass to bitwarden/vaultwarden, https://github.com/philsnow/pass-to-bitwarden

edit: forgot to mention, if you don't care about using Bitwarden the company for hosting, they have a somewhat generous free-forever tier https://bitwarden.com/pricing/

    $ pass |wc -l
Was hoping to be the only cool kid posting pass counts... :)

  $ gopass list --flat | wc --lines

I love pass!

  $ pass|wc -l

270 login credentials work+personal. I don't use 'sign in with Google'. I regularly try (not always successfully) to go through my 1Password vault and delete accounts that I haven't used in a while.

(I wish 1Password let you order credentials by "last used". This way I could start deleting from the oldest last used accounts.)

I wish I had less accounts because each account means some random website holding my data hostage. It's too common that a website doesn't allow you to delete an account. Sometimes you can find a support email and request a deletion. Other times, all I can do is try to replace my data with junk data. Although, even that isn't possible sometimes!

(Rocketbook won't let you change your email, for example. Or ChatGPT saves your phone number after you delete your account.)

Definitely a relevant topic, I'd say, especially if the discussion help any stragglers over the "edge" into finally using a password manager. (As far as I'm concerned, it is absolutely a requisite for all digital citizens in 2023.) ((And kinda has been for 10+ years but ya know.))

I'm closing in on 5000 credentials in 1Password, personally, but my collected vaults/database is 15+ years old now and definitely has [problematic duplicates](https://github.com/1Password/solutions/issues/1).

After a lengthy-enough sample of semi-formal self-observation, I'm averaging:

- signing in/authenticating 10 times/day (including weekends,) and most of those are repeats with the same service. - Almost 10 new accounts/credentials per week. (Granted, I'm pretty darn indiscriminate about doing so while exploring.)

Without tangenting too far, if anyone has any advice about how to constructively normalize password management (even just as an abstract) for end users - whatever that may mean - I'd love to hear it.

So if anything with OAuth is tied to Google, how would you survive losing your Google account?

For this reason I stopped using Google / OAuth a couple of years back!

I have almost 1900 items in my password manager: this includes logins, software licenses, notes, etc. But this does not include items in vault Attic, where I move items which are no longer exist (dead sites, deleted accounts, old ids, etc).

I have 573 entries in my KeePassXC. I have several very important passwords that are not in there, like my work password and of course the keepass safe password. Auth is indeed insane. Because of this insane power, I don't trust any ID provider with my logins, not Google, nor any other third party, so I log in with a password everywhere.

As for maintenance, I don't think it's much, and I'm not even using the browser integration (again, for security). It's a few simple clicks to create a new entry, and the default auto-fill (username, tab, password, enter) works on most of the websites.

About 500, after a clear up.

I'm currently shopping around for a new password manager but that's proving to be a frustrating search. Bitwarden scrambled my master password so that I lost access, not just once but twice (password was saved in another password manager, so definitely correct). Lastpass has 'issues'. Dashlane web app only gives me an error message. 1Password feels clunky but may be what I end up going with. Needs to be usable & shareable by tech-averse spouse & children as well, so hosting my own isn't really an option.

look no further ... pwsafe.org

I really don't know how many accounts I have, for most of them I don't even store passwords, I just generate them in a deterministic way with a little password generator I made[0].

Some time ago I realized what a waste was to store so many secrets, even more knowing that for the most part I'll probably never need them again.

For the - proportionally few - important secrets, I use (and really like) Pass[1].

[0]: https://aprico.org

[1]: https://www.passwordstore.org/

Aprico is a neat idea, but as soon as you face a website that has stupid requirements like a character limit, specific banned characters (like symbols), or other it has no way of adjusting for that and you have to start tracking exceptions. It also has a 1-1 limit of website, unless you come up with service naming heuristic as well. Regardless of these limitations (which I realize are edge cases and very much not the point of the service), it's a nice, simple idea :)

Anectodal from a few years of use, surprisingly those stupid requirements are almost a thing of the past nowadays. But yes, some edge cases still require some bits of muscle memory, which may be your thing, or not.

I'm a bit ashamed that I never found the time to write down some docs, so I never really shared it, apart from a few friends and colleagues. On desktop, the web extension is quite convenient, it will autofill everything for you but the master password.

On iOS, I made a simple shortcut[0] where you share a url and - thanks to the os autofill - you just get your password copied into the clipboard, no input required at all. Also, on Android there is something similar using the PWA Web Share Target API.

And that's it, thanks for your kind words.

[0]: https://www.icloud.com/shortcuts/2dcb6680e6b3424d8708e673e1a...

Don’t forget the even stupider variant, the allow-list of like 5 symbols. “Tell me you failed infosec 101 without telling me you failed infosec 101.”

There's a local government website that requires eight or fewer characters, and the eighth character has to be a digit.

They've tried to change the requirement, but it comes from vendor software. The vendor just waves around a middle finger and points to the contract.

> But I still have a near-stroke every time I have to do the "forgot my password" loop, or use Duo Mobile/other 2FA.

That's funny, I've stopped caring about remembering most passwords and use the "forgot my password" loop as a login mechanism for rarely accessed sites/services. I also only enable 2FA on important ones like email, github, or banking. Basically my threat model includes my ability to lose things.

This works until you want to change your email domain (or provider in some cases)

944 items in 1Password (fingerprint me!)

I'd have more but even 1Password doesn't always catch when I'm creating an account login, or resetting a password, etc. I do the work to input some of them, but not always (I get lazy).

I do try a lot of tools, and I have a lot of personal and professional GMail OATH logins too, which -- fortunately -- 1Password now tracks.

I have 872 according to BitWarden: https://cdn.geekzone.co.nz/imagessubs/3c01663b43a16e0b50577a...

I don't use OAuth, except for two services - which I could switch to user/pass if I really wanted.

380+ logins on bitwarden

45+ 2FA on Authy

2 yubikeys

It gets... pretty confusing, especially as I've not checked the gopass repo, where I keep _other_ stuff, too...

Bitwarden lists 791. A ton of them are for internal services/local dev accounts/what have you, but that's still a pretty long list.

I don't use most of them. A third of them are for my spam email address. I'm starting to notice Bitwarden taking its sweet time decrypting them all, though.

According to bitwarden, I have 363. Though, I have more than that that are not stored in bitwarden. Some of them are my work accounts, others are ones I created while on mobile where it is a pain to add them to bitwarden. The real number is closer to 400.

Where I work 'Single Sign On' doesn't live up to its name; many of us spend the first 5 minutes of each day signing into things, waiting for the 2FA code, entering it, then rinse and repeating for a half-dozen apps.

The problem with this metric is that several of those accounts are defunct or no longer even in existence. It's much easier to add to my keypass than to delete from it

751 entries in my KeePassXC database. I'm sure a number of those accounts are for long-dead sites, and many of the rest are throwaways I don't expect to use again.

Over 300 in a self-hosted vaultwarden. I’ve got my vault password memorized but that’s about it. All 300+ are secure randomly generated ones that I do not know. And I’ve got 2FA stored there too.

Despite the huge number of accounts, logging into anything is seamless across any of my devices. And access to my vaultwarden is securely protected. Password managers are great. Really looking forward to vaultwarden eventually storing Passkeys as well, and using passkeys to login instead.

What's the point of 2FA if you store it in the same place as the first auth factor?

Or maybe I've misunderstood. Are they behind different master passwords or something?

If an individual account password leaks, the second factor still protects the account.

This primarily only protects against leaked passwords from the site being hacked. Not from vaultwarden being hacked. But if my vaultwarden gets hacked I’m done anyway. They will had to have used multiple factors to get into the vaultwarden anyway.

Quick edit: I’ve also got all the codes in an actual Authenticator app on my phone (so I can get into vaultwarden if I have to) But they are additionally in vaultwarden for convenience. When vaultwarden autofills, it copies the code to my clipboard and I can seamlessly pass the second factor check. Either way, access to the codes needs physical access to a device I’m already on. In practice I’m only ever logged into vaultwarden on my phone and my PC, although I could login remotely if I had to. As an additional safety measure, when my vault is logged into some monitoring software sends me a push notification through an external service.

As far as I understand it:

The password is the "thing you know" and the password manager file is the "thing you have". So if someone compromised your email account knowing your password, they still need to access your password manager file to get access to the 2FA codes.

So it's still a second factor in that sense.

Slightly below 2000 last time I looked. Most sites don't support deleting content or accounts. In best case they just "anonymize" you. So it just keeps growing...

1146 in Bitwarden. But a lot of them are old, and some accounts aren't in BW.

> Obviously, anything with OAuth is "bundled" into my Google account.

I too used to live dangerously. But then I took an arrow... sorry, wrong one... then I read too many stories about "Google locked my account and now my life is ruined" and stopped using Google auth with anything but the least important sites on which I wouldn't mind losing the login.

HN and a few forums, bank, email/cloud, website (which is really just storage for ancient stuff I have mostly forgotten but occasionally have a use for) and that is about it. I use guest checkout when ever possible and if I buy from a site which does not offer it I just close my account as soon as I finish checking out. I never made the switch to password managers and the like. I have all of my passwords memorized.

KeePass says 305. That's a few decades' worth of logins across everything from Yahoo! to GMail to random online storefronts. Unique password for each. Doesn't include old accounts I've deleted where possible. Not all services offer account deletion, sadly. When I can't delete an account I leave it with blank or garbage contact info and link it to a one-off email alias for spam prevention.

I have 728. Before Bitwarden I used password store. I migrated with a script about 2 years ago, and I still don't have all the necessary metadata in at least a half (meaning there is no icon, usernames are messy, etc). I only update the old entries whenever the accounts are needed, meaning that I haven't used half of them in 2 years. So I "actively" use about 360 accounts on various services.

I have over 300 on 1Password, some with more than 5 different accounts from the same site like Google and Slack. I also lean heavily on the 1Password extensions to help on the retrieval part.

It's incredibly insane but I manage it by adding a namespace postfix so it's easier to identify which when autocompleting login forms. For example, "Google (Personal), "Google (UMich)" etc.

952, I store accounts user and passwords that I have since 2011, and I like to try new services. Especially to give feedback to makers.

I'm pushing 600 in my main password manager, but most of them aren't unique — I just use "farce72$" by default since it hasn't shown up in HIBP (yet -- fingers crossed) and hits three of the major character classes, so it's pretty high-entropy.

The password manager mostly serves the role of autofilling stuff in browsers.

In case anyone's wondering, it's not the HN password (with or without quotes) :)

I wondered if anyone would try that :)

Uh, looks like 1200. A few duplicates from LastPass or the LastPass -> 1Password migration many years ago, I forget.

1456 items in Bitwarden; 1180 have both username and password but there's a lot of duplication - e.g. I've got 6 items for my local nzbget instance (all the same u/p combo.)

This is an accumulation since ~2010 starting with 1Password, then LastPass, then Bitwarden.

[edit: 1339 items have a password but only 1180 of those also have a username]

Do you know you can add multiple URLs to the same un/pw and it will autofill on more sites?

Roughly 350, all with unique passwords and mostly with unique email addresses too. They're categorised, and the only categories with more than about 20 entries are catch-alls I never look at anyway. It's pretty useful and sometimes interesting to go on a website and find out I made an account there two years ago.


I'm running around 838 accounts because why not? I have a unique password for each login since five years ago. I went from LastPass to 1Password and finally settled on self-hosted Bitwarden(Vaultwarden) a year ago.

531 in my bitwarden storage. I don't create an account unless absolutely necessary. So the number is higher than I thought.

I guess most of it is likely work related. I cycle through many projects. Each of them have many accounts tied to them. Eg: DNS, domain, hosting, etc etc. Not to mention all the business systems like HR.

There are 92 entries in my credentials archive. I try to avoid creating them if at all possible, and I never use OAuth.

Checking 1Password, I have 283. If I include sites I keep only in my brain that is probably a touch above 300.

In Firefox's about:logins I have 1333 saved credentials

My keepass says 484, but I have a feeling there's duplicates. I really need to curate these better.

Hah! Password count cousins! I'm 484 in lastpass.

I've got about 307 on KeePassXC, with the oldest generated password from 2016.

307 includes stuff like security questions as well though, so the answer to "What is your mother's maiden name?" tends to be something along the lines of "f+2Tng+DO?X).`W/7*5IQ_"

My BW stands at 52 logins right now, but it's not yet quite complete. I think I'm missing a couple banks. Over the last year or so however, I cancelled almost 100 accounts, ranging from obscure forums, trough hosting providers, to facebook. It was a herculian effort, as companies put up emmense barriers (especially the hosting companies), but I somehow got it to the minimum I can realistically have - which is roughly 60 I think.

I try to avoid SSO, only exceptions are a single forum, which had broken registration, and my uni. Why? 1. SSO is a single point of failure, which you (unlike BW) cannot audit yourself; 2. You have to trust it's not gonna sell your data - perfect graph of services one person has is of course very juicy information; 3. They the make management of one's accounts slightly harder, as you cannot easily know how many you have by looking into your BW; 4. You are locked into your SSO service.

For MFA, I use fido keys (yubikeys), which I have to highly, highly recommend. Not only are they miles ahead of anything else, but they are also so easy and quick to use. I have a little one permanently in my usb port and to log in you just touch it. I'd recommend this if you are MFA-fatigued. Obviously, I always take the best form of 2FA available regardless.

All passwords in BW are long random alphanumeric and I have a XKCD-style password for that and something similar for FDE/logins into computers.

BTW, getting BW was the best decision I could have made, not really for security (although that's obviously the point) but fkr convinience. No more silly variants on passwords and no more guessing emails for reset.

I have 967 entries in my KeePassXC database. That includes tons of now obsolete logins and passwords from previous jobs or/and defunct services. It doesn't bother me, and I dont want to spend days just to validate/clean up it.

Hard to know, I have 20 to 30 Facebook accounts, mostly bought from account seller sites, becaused I wanted to see various Facebook pages not accessible to outsiders. Not sure how many of these passwords still work.

My oldest working account is probably 1996's ICQ.

My keychain has 54 items in it. I think at least 5 of them belong to things I've shut down.

I have 358 keys in my keepassxc. Loads of them are from a distant past; I never had the urge to clean them up. If I delete a password I also want the account to be deleted so that costs too much time... now at least I know who knows me... ?

My password manager has four digits of credentials stored. It dates back to when years began with the digit 1. Certainly _most_ of those are no longer in use, but maybe the time has come to see if Taco is still posting to Chips & Dips.

My password manager says 407 currently in my vault. I only use social login for very very limited amount of sites. My default option is to create app/site specific accounts so I can append my email with +sitename to see who leaks my data.

Exactly 256 in Keepass currently.

Earlier I used to maintain the passwords in an Excel and the life in a way changed when I discovered Password Manager KeePassXC - which is amazing.

For my frequently accessed accounts, I also prefer Apple Keychain to login faster across the devices.

360 for websites (most of which I've only used once; the oldest are dated 2011, but those are probably import dates, as they all have the same timestamp), and 100 or so for more serious stuff (banking, routers, etc.) in KeePassXC.

I have 93 personal accounts in my Bitwarden, plus 13 that I have categorized as "deprecated".

I don't think 176 is wildly unusual; it may be a bit higher than some people, but it's certainly not a Guinness World Record or anything like that.

808 in my password manager, plus a few in my head (stuff like bank logins and the pwd manager's password) or cold storage (no e-money, but e.g. the manager's password and passwords to unlock system backups).

I have over a thousand and hundreds of warning about compromised passwords.

Annoyingly they're all for forums I was part of as a teenager 15-20 years ago with a dead email address referencing pink monkeys.

I just never get round to cleaning it up.

284; that's with actively trying to purge the list every 3-6 months (sometimes just an online form but for more obscure / smaller sites, it's a couple of weeks and chains of emails back and forth).

Presently I have 384 entries in KeepassXC, but it's not all online accounts. Sometimes I just put info in my keepass vault because I want to have easy access to it while I'm at my computer.

It's a good day if I can get through it without creating an account.

700 plus on Bitwarden. And a lot of Oauth with google and GitHub. 200 plus on Chrome personalised window. Around 100 on Samsung pass for apps that I don't have access on web.

746 accounts.

746 unique passwords, ~600 unique usernames, ~600 unique email addresses.

More than 1000. More than I'd like. I can't help but wonder how many websites my personal information is on at this point between random shopping, forums, and all the rest.

1,742 according to my Bitwarden on Logins :grimace:

Given my use of password managers goes back to pre 2000 I'm willing to bet a sizeable percentage of the sites don't even exist any more

I have over 4,000

This is because I rotate accounts frequently (well, besides here).

376 items accumulated over 12 years using password manager and multiple cleanup runs. I think top for me was around 480.

It was hard to find it in the new version of 1password

~15,000 after being online since the '90s. A lot of them won't work anymore, that much I'm certain of. A lot of things have come and gone in that time.

> Obviously, anything with OAuth is "bundled" into my Google account. So if anything this is a huge underestimate.

If Google ever pulls the plug on you, you're in for a bad time.

I guess despite how cool it is to hate Facebook in 2023 there’s a really solid case to be made that it’s a smarter “OAuth” choice than Google, since with Google, if you fell back to resetting your password for another site to get in after a Google account shutdown, the email on the account would be the same Gmail account that you’re locked out of!

1112+, plus 25 in Microsoft Authenticator w/ cloud backup enabled, and a Yubikey 5c FIPS for every device I care about.

Between 3,000 and 4,000 (1Password no longer shows the count).

Over 100 in my password manager. I use log in with Apple wherever possible. If a website does not matter and does not support Oauth with Apple, I will use Google.

899 in Bitwarden and that is after cleaning and excludes ‘lazy’ accounts I logged into with google or facebook (those I generally don’t use or find important).

600 in Chrome. 800 in iCloud Keychain. I assume there's a % of duplication between the two, since I don't really use Chrome anymore outside of Windows.

Went and checked my 1Password. Apparently, I have nearly 1,800! My oldest remaining password was created in 2010, so I've been using it for a while.

445 logins for me on a self hosted bitwarden (vaultwarden) instance. Although a lot of those are for user & root logins to local machines I provision.

1,226 items in my 1Password database. Very happy customer.

410 according to 1 Password. I do periodic cleanups though and I should probably do one soon so the number of actual, in use, logins is probably lower.

Please tell me you let chrome save and sync your passwords lol. Always a delight for pentesters and real attackers a like when people do that.


Not counting all the sites for which I use the "Log in with Google/Facebook/etc". Many of these credentials I haven't used for years.

About 200, but no more than 30 are used often and maybe 5 are important.

I don't want to tell how I store them, but for these 5, I could even memorize them.

Around 1,000 in 1password. I use 1password because many of them are shared.

Edit. That is only my work 1pass. I have a personal instance too with a few hundred.

I'm curious, do you actually have ~1,000 work-related accounts? Or second accounts/alts for various non-work sites using your work email?

I have zero non-work sites on my work email.

Crazy isn't it. Not everything is a login, and not everything is a password. There are keys in there for instance, and some credit cards. The majority are logins though. Crazy, isn't it.


1078 - many I of them I've used once

Bitwarden lists 1,601 for me. That's not counting sites that use Google, GitHub, et al. for auth which I will often choose if offered.

Who knows, some idiot keeps using my email and signing up on various spammy services. Probably time to get a new email address.

I see many people mentioning the number of passwords in their KeepassXC. I can't find the option for that. Where is it?

Ctrl+Shift+R (or Database → Database Reports)

Before posting I was looking at the comments to see how bad I was… after seeing 1k+ it seems like I’m fine with my 627 bitwarden items!

this is nuts, i was expecting people to say like 8

Maybe 200ish or so

Loads of old crap though. Will clean it out next time I'm migrating passwd managers. Probably 50-ish that actually matter

I have 7, unless you include logins to the various systems and servers attached to my network. Then I have ~100.

800 logins in my Bitwarden.

These are logins I collected over the last 15 years. A lot of them are for pages that don’t event exist anymore.

I have around 40 2fa codes alone, number of accounts I don't even care to count.

find .password-store -type f | wc -l says 1248.

$ pwd && fd --type file | count /home/daniel/.home/.password-store 512

Need some cleanup I supposed...

515 - thank you Jesus for password managers

1Password tells me I have 4,182 items... and that's probably not even everything.

1Password says 348 for me, and I know there's many more that are autogenerated and stored in a keychain.

1300 as per 1Password.. and must be 500+ in my old Firefox account that I didn't bother exporting.

3,995 by 1Password as of May 21, 2023.

1Password currently has me at 476 logins, I assume some of those are duplicate accounts or burners.

593 for me in 1Password

238 according to 1Password. Every time I add a new one I feel a piece of my soul leave my body.

2151 according to Bitwarden. That's what 25 years of actively using internet does to you :)

2151 is insane. Share any fun/quirky/useful uncommon websites ?

What is bitwarden doing to help lower the number of accounts, exactly? I'm out of the loop.

Bitwarden lowers the mental burden for secure (which includes unique) passwords, precisely because we have a crap ton of accounts.

And I thought I was out of hand with 496 in 1Password… now it feels quaint looking around here.

809 in Bitwarden. Collected and migrated over the years from lastpass to enpass to bitwarden.

203 according to 1password, but I archive the ones I don't need roughly every year.

I have 260 items in my vault. Of course, I'm sure it could use some tidying up.

1Password deleted more of my accounts than that when it crashed the v8 upgrade. SK

1105 according to Keepass. Although at least a third of these are no longer active.

woop another Keepass user!

Anyone experimented with Sign in With Ethereum?

Wallet based login and account management onchain.

319, currently using Bitwarden to manage them and been pretty happy with it so far

about 750 in my personal 'pass' store, and about a 1000 in the shared password store for work. Bitwarden probably has a significant subset, but I prefer to keep 'pass' as authoritative source.

Personal ones close to that. But as a contractor, way more than than 176.

About 1,400 in KeePass.

Perhaps a poll would with ranges would have been better.






Indeed, although it would not be that hard to parse all replies and plot it.

1906 items in my 1Password. Not including those I archived or deleted.

636, and I lost a lot of them about 9 years ago.

I’m honestly surprised I’m not over 750.

You mean since I started using the internet in 1995? Or only live ones

1361 in 1Password, probably ~100 that I use at least once per year.

Looks like I have 2160 in Strongbox (recently moved from 1Password).

A bit under 200, but only around 20 that I use with any regularity.

My Bitwarden says 1,703.

I'm surprised to see so many people with low hundreds.

312 entries, although only 37 were accessed in the last 12 months.

182 logins here, although most of them aren't used frequently.

imo the best way to handle this would be to have identities on browsers, and then have browsers automatically handle the logins without the user seening any passwords

I feel like this isn't healthy for a human being

I have 921 items in 1Password; most of them are logins.

800+ entries linked to 784 unique email addresses.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact