Ask HN: How do you keep track of “Log in with” accounts
On MacOS, using the Passwords app, I find it unnecessarily difficult to find out how I signed into an account.
Some are un/pwd (easy), some are Log in with Google, Apple, etc, but those aren't captured and aren't easy to track unless I manually add it to the Passwords app with some invalid password that's an indicator of how I signed in.
Do you just use a password manager ... 1Password, Lastpass or the like? I use Bitwarden but have used LastPass and 1Password before. I always, without exception, will sign up with a username & password. I would never use a"Log in with".
To me, if I am logging in through a different company then it is that company who has control, not me.
There are tales here and elsewhere when Google has nuked someone's account. That's bad, but if you logged in with Google on other sites then you are completely screwed. Same applies to other companies. I won't be using the Apple Passwords app. I've read some of these tales here as well. I'm thinking more about how to migrate from "log in with" to a un/pwd surely you can just reset your password with the same email and regain access to your account? If I log into Acme Widgets website via “login with Google,” then I don’t necessarily have an email or password with Acme, I have a delegated (SSO) account. In many auth systems you cannot use “forgot password” to convert SSO access to username and password. You have to actually log in and change it there. But of course if Google has locked you out, you can’t log in with Google. And anyway… if Google has locked you out, you can’t access your Gmail to reset your password, even if Acme auth lets you. In contrast: if you log into Acme with username and password, you can authenticate with Acme at any time, even if Google has locked you out. Acme does not need to check with Google to log you in… even if your username is a Gmail address. If you’re going to use a password manager anyway, just do a fresh username / password whenever possible for each new service. It’s the most resilient and future-proof way to go. i have found mostly you can reset password to get away from google sso on many sites. no empirical evidence of course, and all sites are different. To the people using a password manager to store the fact that they used third party login, this is some of the most perplexing behavior I've seen in a while. It's like storing a photo of gold bars inside your basement safe. With almost zero extra effort, you could be in control of your own keys. You already have the entire infrastructure set up to do this and all you use it for is a glorified log book? Can someone explain this? Some platforms only support SSO. There will be Google, Apple, Microsoft, Discord, and that's it. The point is that it allows you to remember which provider you used to sign in with and you’re not having to guess whether you logged in with Google or GitHub or whatever else. I get that part, but by the time you've set up this reminder, why not go the extra millimeter and actually add a password? You go from delegating some of the most important elements of your life to a third party who can take your account away at any moment with no recourse (an extremely vulnerable position), to having complete control over all those accounts, with zero extra effort. It's very confusing. I suppose there could be any number of reasons. Maybe they were already using SSO prior to using a password manager and it would take more effort than an extra millimeter to switch. If you are already using a password manager, why not login using password? No 3rd party dependency and risk, and no need to remember how you signed in. There are websites not supporting password login. I think there’s a trend of this. That is also my preference. However, that is not the question that is being asked. I'm not responding to the question being asked, I'm responding to the people answering it. When I used third party login the whole point was that if I saw it was available, I was sure I'd use it, so I didn't need to store or remember anything. If I tried and it didn't work, I knew I didn't have an account. So to see these responses was very odd to me. One benefit could be if the site only supports something like username/password with SMS/email 2FA compared to a sign in option using Google/Microsoft/etc that you can use a security key/passkey with. I used it for one account, then realized that I would never be able to keep track of which account I used for which account. Ie Google for This. Apple for that. So I default to always looking to create a login with an email address, rather that using another identity provider. And passwords are kept and sycned with bitwarden. This is the way. Also remember that one day Google will eliminate Login With. And if you do login with Apple you can never escape the Apple Tax even if it declines or gets broken up. I've mostly stopped using third party identity providers. They have multiple problems, but the thing that finally drove me away was bad implementations locking me out of the accounts they were supposed to protect. The most recent example was a GitLab instance that was demanding my password before it would let me update the email address on my account. I didn't have a password, because I created the account by logging in with another site. Tech support was nonexistent. I ended up abandoning the account. This is the way. Also remember that one day Google will eliminate Login With. And if you do login with Apple you can never escape the Apple Tax even if it declines or gets broken up. I worked at a huge company with Login With. Only a fraction of people used it so we didn’t have time to support the hundreds of corner cases properly. So best bet was to rip it out. I used 1Password. When this stuff first started I would add an entry to remind me, so when I went to fill it I would see the name is "Apple SSO" or whatever. However, 1Password now supports this stuff, so it will simply take care of it. I use 1Password. When I use a "sign in with...", it will track that I took that action, and it's saved in the vault ( even though there's not much to save :D ) KeePassX with the password field left blank and the note field containing e.g. "SSO w/ Google". This is the only comment that actually answers the question without giving opinions about “Log in with” And it’s a very good suggestion. I do something similar, but instead of using a note, I just write it in the username field > Do you just use a password manager Yes. > Log in with Google, Apple I simply don't, ever, use those options. Same here. At least, not anymore. I have a few legacy logins. And a few where I’ve connected my accounts - GitHib for instance to get Jetbrains Student Discounts. But where possible, I avoid! Also, the obnoxious login with Google prompt in Chrome actually costs businesses money! I’ve had multiple clients run up paid support because they thought they’d lost their account because they clicked the login with Google option and all their account info seemed to have vanished! (Not my services, just ones I was supporting them using). So you don't ever use anything federated? I almost always use Google (out of habit, many years using android phones and gmail) so I don't have to keep track of anything, although I do admit I have two Google accounts and sometimes it's a mess to organize between both (but this is my fault, historic reasons and too lazy to fix now). To everyone worried about Google closing and not being able to login via Google... what email provider do you use? Because if Google closes Login With they might as well close or lock you out of GMail and if that's your email provider you're screwed as well right? If you use your own domain, you're not nearly as screwed. Your old inbox is lost if you didn't back it up, but your accounts are still perfectly fine. I use Zoho Mail with my domain. I worked at a huge company with Login With. Only a fraction of people used it so we didn’t have time to support the hundreds of corner cases properly. So best bet was to rip it out. Your best move is to always set a secure password and use a password manager. Also remember that one day Google will eliminate Login With. And if you do login with Apple you can never escape the Apple Tax even if it declines or gets broken up. You probably won’t even be able to move your account to a password one you’ll just lose access (another unsupported “corner” case) > Do you just use a password manager Yes. I recommend KeePassXC[1] or GoKey[2]. > Log in with Google, Apple No, never! On Apple device: Apple ID > Sign-in and security > Sign in with Apple. You can see all of the logins and disable them if you want. In your Google account settings look at Security then See All Connections. Can also remove those individually if you want. I like Bitwarden. Tried all the rest. Bitwarden is really great. Plus... I'm a huge fan of how it generates passwords. Celtic-Twisted-Endowment-Petal4-Anybody I try and avoid SSO for the most part. I like being able to use Gmail modifiers so I can create filters if I need to block certain accounts from being spammy. first.last+serviceURL@gmail.com is usually what I use. So like first.last+news.ycombinator.com@gmail.com. Every service gets their own alias modifier. Then if I ever need to turn it off, I can just set a filter and they're done. Plus, this way I always know who sold my contact info. I think this works in practice but I still prefer to have an anonymous/hidden/random email for each service. If one of your Gmail alias emails is sold, isn’t it trivial to write a script and figure out the real Gmail addresses? Fair. Feels like it’s an uncommon enough practice that most marketers don’t bother. I had access to a 6,000,000+ email list one time and I was curious how many people did this trick and it was under 100. I don't use SSO services, so I don't have to keep track of that sort of thing. For everything else, I use a password manager (UPM, because it operates entirely offline). I don’t understand why people bother replying to a question asking “how do you do x” with “I don’t do x.” That adds essentially nothing to the conversation. I don’t mean to call you out specifically, apologies if it comes across that way. More examples:
https://news.ycombinator.com/item?id=41335286
https://news.ycombinator.com/item?id=41335369 > I don’t understand why people bother replying to a question asking “how do you do x” with “I don’t do x.” It might be easier to understand if you substitute "x" here with, say, "encrypting passwords with MD5". It illustrates better why someone might think giving "I don't do it" style of responses instead of directly answering the literal question that was asked. Back to OP's specific case, maybe they keep creating accounts with SSO login only due to inertia and haven't really thought about reevaluating this habit. Not saying this is the case, since we don't know the specific reason OP is using SSO (e.g. if it's convenience, what makes SSO more convenient than the password manager? maybe they are following the recommendations from some random blog post that assumed a different threat model?). So, alternative points of view might still be useful, if only as food for thought. Maybe a more fitting solution might come out of such discussions. About 10 years ago, I was using an online password manager, but it got hacked. At that time, I created this one: https://github.com/conradkleinespel/rooster Nowadays, I use a combination of an online password manager (one that hasn't been hacked yet, as far as I'm aware) and Rooster as a backup. I use two things: * A password manager (PasswordStore [0]), in which I may make entries without passwords but where I indicate my ID on a given account. * A personal wiki in which I may indicate for something that I have an account connected to e.g. Google or whatever. When I come to some service that I vaguely remember having used before, I will find the necessary info either in my personal notes or in my password manager. [0]: www.passwordstore.org I occasionally use Log In With Apple, because it can provide an obfuscated email address so they don't have my real address. I never use any other third-party authentication service. I don't want to give Google any more information than I can avoid about the sites I visit, and I've barely even used my Facebook account for the past decade+. 1Password does it automagically. I don't. If I'm using a third-party to log in then it's a burner account that I don't care about, and am basically using because I don't think whatever tool or site should need a log in to use. I don't use "Log in with" accounts as I've read the horror stories of people getting locked out of their Google and Meta accounts with no recourse to fix it. Avoid. 1password has a decent system for also tracking sign in with accounts Regarding Google, you are wrong, luckily. There is a page in Google where you can view the associations you made with third party sites and you can cancel them. Where you find this is: 1. Go to your Google Account (e.g. www.google.com, click on your avatar, then on Manage Google Account in the popup that appears.) 2. Click on Security in the left navigation pane. 3. Scroll down, and find a box "Your connections to third-party apps & services". That reminds me, I did a "continue with Google" on the Scribd website the other day, only to be told I had to also give them a credit card so they would let me start the free trial to view someone else's copyrighted PDF that they have no right to sell, and that I can find somewhere else. I have to revoke the association to these scumbags. There are also sites that send you through Google signin, then they still want you to make a username and password. So you shared your email address for nothing. Is this against the terms of service? I seem to recall that if you do this with Apple they will ban you.