password managers Question: Signing up with Google vs E-Mail and Password 🔐

[UserName_LTT]

What's safer? To sign up with Google or to use your email and password with a password manager.
I understand the privacy trade-off, but which is the better option solely in terms of security (since Google will find a way to track me down anyway).

Is it better to have all of your eggs in 1 basket with Google, or use a password manager and put all of your eggs in that basket instead...



Bonus Questions!
#1: Why does Imgur let you sign-up with Yahoo? Who uses Yahoo?
#2: If you sign-up to Twitter with Google, then sign-up to another site with Twitter, who gets your data? Will it make the world implode?
#3: What's the longest chain or cross-logins you can think of? I can't get past Google -> Twitter -> Imgur
#4: Should I have just made this a poll...?

[Zalosath]

10 minutes ago, UserName_LTT said:

What's safer? To sign up with Google or to use your email and password with a password manager.
I understand the privacy trade-off, but which is the better option solely in terms of security (since Google will find a way to track me down anyway).

Is it better to have all of your eggs in 1 basket with Google, or use a password manager and put all of your eggs in that basket instead...



Bonus Questions!
#1: Why does Imgur let you sign-up with Yahoo? Who uses Yahoo?
#2: If you sign-up to Twitter with Google, then sign-up to another site with Twitter, who gets your data? Will it make the world implode?
#3: What's the longest chain or cross-logins you can think of? I can't get past Google -> Twitter -> Imgur
#4: Should I have just made this a poll...?

I would say that there is a huge convenience by just signing in with another account, I usually use my Facebook account to sign in to sites that I know I will be visiting once, if it requires an account, and then removing that account when I'm done.

 

Although, if my Facebook account were to get hacked then the flaws are obvious, so in that respect, it's better to use a password manager and have create new accounts.

 

#1 Probably legacy support - but you're right, it's for the older folk no doubt

#2 Everyone involved most likely, I would be less than surprised if Facebook ended up with your data too, and they aren't even in the chain.

#3 That's a decent length chain! I can't think of a longer one.

#4 I think the discussion will be interesting to read, so no!

[mike_seps]

In my mind (possibly flawed), it seems safer to use an email and a manager created password. Still not foolproof, but I have multiple emails (personal, work, side business) so I can choose which one I want associated with each account. Also hate having anything tied directly to my social media. If it's Twitter or FB, then the security checks will likely go there, so if I ever deactivate my accounts, which I have done with all SM in the past, it becomes more of a pain to log in.

 

1. pretty sure my millennial sister uses yahoo still, no idea why.

2. No implosions, but everyone gets all the data. But let's face it, they already do.

3. I'm sure there's someone with a 4 layer cake somewhere nearby.

4. Polls are less fun, I like reading the absurdity. 

[BobVonBob]

In terms of security there really isn't a difference. While I think signing in to everything separately and managing it with a password manager is technically slightly more secure, practically there's not much difference between that and signing into everything with Google OAuth. In both cases if the main failure point is compromised every one of your accounts is compromised. They can be strong single points of failure, but both have a single point of failure.

 

In terms of privacy, signing into everything with OAuth means that the authoriser can more easily track where you go on the internet. They're going to try anyway, but they have to do less work if you just tell them everywhere you have an account.

[OrdinaryPhil]

Federated accounts are a good example of the price users pay for convenience.

As a good rule of thumb, the more convenient something is, the less safe it is. Clever people create strong passwords and use a unique username & password for each service they log into - this is why password managers exist (more on those later).

By linking your LMG account for example to your Google or Outlook account (federating), you share those credentials between both parties. In this example, LMG would keep a record of your username and password for your Google account. In a perfect world, that record would be salted, hashed, encrypted, or obscured by some other means, but in reality, that almost never happens.

I don't work for LMG and I don't want to assume their intent, but I suspect that (like most companies) they don't store those records themselves. They likely rely on a 3rd party federation service or plugin for their site provider (WIX, SquareSpace, etc.).

What this means to the end user is that by signing up using a federated account, you ultimately give your credentials to a 3rd party that you do not have a direct relationship with and may or may not be diligent in protecting that information.

There are thousands of data leaks of this type each year, and the overwhelming majority of them go unreported. This contributes to the rising cases of identity theft and various other cyber crimes.

It is undeniably safer to create a unique username & password, and manage it yourself... offline.

Using a password manager is also very convenient, but also very unsafe. For convenience, they are hard to beat, but for safety, nothing beats a good old pen & paper with a simple office safe. A fireproof office safe is typically between $19.99 and $29.99 and can be found at nearly any major retailer from Wal*Mart to Staples. your trusty steno pad and safe doesn't require a monthly subscription, or signing an EULA, and it's not some faceless company in a distant country that may or may not even have legal protections in place for PID.

[UserName_LTT]

I was originally thinking to use Google because they would likely have better security than most password managers, but as I'm writing this I realise that I would still need a password manager to keep my Google password...
Or, I guess if it's only 1 password, I can keep it in a text file somewhere.

[TetraSky]

Regardless of how you choose to log into someplace, your security is only as good as your password and your typical habits.

I prefer email + unique password (Keepass on PC and KeepassDX on android) instead of using those "sign in with...", because a lot of the time, you still need to complete the account creation process anyway since all it did was just prefill your email and things like date of birth

[colonel_mortis]

1 hour ago, OrdinaryPhil said:

By linking your LMG account for example to your Google or Outlook account (federating), you share those credentials between both parties. In this example, LMG would keep a record of your username and password for your Google account. In a perfect world, that record would be salted, hashed, encrypted, or obscured by some other means, but in reality, that almost never happens.

This is not true. What we get from Google when you link your account (via an oauth2 exchange and api calls) is just your Google account's user ID, plus your email address and a couple of other bits of data. When you next sign into the forum with Google, Google attests to us that you are that same user, which we then use to log you in. At no point do we have your Google account password, nor any access to your account beyond the scopes that you authorised when you linked the accounts (which should just be email address and basic information). Of course, if ltt did get hacked, an attacker would then get access to that information, which may be slightly more than you give to use the forum without Google.

 

I would trust Google to keep accounts secure more than I trust the forum software that we use - there is nothing wrong with the forum software, and at this point I'm fairly confident that there are no vulnerabilities in the login flow, and credentials are securely stored (using salted bcrypt hashes), but Google has far better protection against modern attacks like credential stuffing and other abuse. It's also not possible to be phished into giving away your ltt credentials, although of course if an attacker gets access to your Google account it's game over.

 

There is of course a privacy downside to linking your accounts, because Google can now see that you have an ltt account, and how often you log into it (although nothing more, eg they don't know which account on the forum is yours). If you use Gmail, they probably figured that our already though.

 

Passwordless login is the future, and it is more secure due to the phishing resistance. Ideally that would be the fido-based passwordless login (eg using a yubikey or encryption keys stored on your device), but delegating auth to one trusted central party is still better than nothing. In practice though, for low value stuff like forum accounts, the difference isn't much at all, and you're much better off enabling 2fa if you are worried.

[UserName_LTT]

1 hour ago, colonel_mortis said:

, but delegating auth to one trusted central party is still better than nothing. In practice though, for low value stuff like forum accounts, the difference isn't much at all, and you're much better off enabling 2fa if you are worried.

So, for "low value stuff like forum accounts", I could just use the classic e-mail and password (with 2FA on each) for the privacy aspect; but, for 'high value stuff' like the social media accounts for a business, I should use Google (with 2FA on Gmail) because they have better protection against modern attacks. Right?

I basically just want to be told what to do... As you can't probably tell from my user name, I'm not very good at making decisions that I know I'll likely never change. (;⚆ ︿ ⚆)
 

 

Also, where can I learn more about this "passwordless login" stuff? Is there a Techquickie on Yubikey and/or FIDO?

[colonel_mortis]

7 hours ago, UserName_LTT said:

So, for "low value stuff like forum accounts", I could just use the classic e-mail and password (with 2FA on each) for the privacy aspect; but, for 'high value stuff' like the social media accounts for a business, I should use Google (with 2FA on Gmail) because they have better protection against modern attacks. Right?

I basically just want to be told what to do... As you can't probably tell from my user name, I'm not very good at making decisions that I know I'll likely never change. (;⚆ ︿ ⚆)
 

 

Also, where can I learn more about this "passwordless login" stuff? Is there a Techquickie on Yubikey and/or FIDO?

For low value accounts I would say use whatever is easiest for you. For high value accounts, yeah delegated auth (such as Google) does have advantages. I generally default to having 2fa on both the Google account and the social media account/etc, which would protect your social media account if you did get phished out of your Google account, although it is definitely a reasonable amount of extra friction so it has to be a judgement whether it's worth it.

 

In terms of resources on passwordless login, there is a techquickie, although I haven't watched it so can't vouch for it's completeness/accuracy:

 

[Meowth LVL255]

Only speaking on the Yahoo thing. Yahoo might be old, but it's still around and some of us still have things attached to the email. My friend made his Microsoft account with Yahoo, used it in his Gmail creation, and tied it to his whole life. If something isn't broken, why change it? As for "who uses Yahoo", those who don't use default stuff all the time.