Ask HN: Google SSO or Password Manager?

You aren&#x27;t going to have all your accounts able to use Google, not everyone offers it. So you are going to need to use a password manager in any case. I use Bitwarden and like it, my wife uses it but is only ok about it.<p>Now, as far as Google vs. Password manager on sites that do support it: Google can be convenient, but there is the infrequent, but apparently very real risk of Google locking your account, and through that also locking these other accounts. I&#x27;m not very concerned about that risk personally, but I also would be very reluctant to put important accounts like banks and bills on a Google SSO.<p>To be clear: I&#x27;m not a big &quot;google is evil&quot; guy, but &quot;I&#x27;m locked out of google&quot; seems to be a regularly recurring story, but it clearly is low frequency. I do know that when things go wrong, Google is often a black box with little recourse or even any way to contact someone there, especially, I imagine, if your account is locked.<p>I, personally, almost always use a password manager rather than a Google SSO, just because I have it set up an it&#x27;s almost as easy as the SSO.

1. Email on your own domain. You can still use Google (or any other service) for this, but having your own domain means you&#x27;re not dead in the water if your provider decides they don&#x27;t like you.<p>2. For accounts on large websites (big targets) use a unique email address that is only used on that website. Obviously passwords should <i>never</i> be reused, which leads to:<p>3. Password manager. Just do it.<p>4. Use the highest security options available at each website. If it&#x27;s just 2FA, do it. Yubikey is great if they offer it.

Password manager without question (just make sure it is one with strong security)<p>SSO to me exists for the sole purpose of keeping you locked into their platform. I have a &quot;professional&quot; email that I previously hosted on google with gsuite. I used that account a few times as SSO.<p>Now even though I have moved that email off of google, I continue to pay gsuite just so I don&#x27;t loose access to that account and anything I logged in with it.<p>I have made every effort to remove google from my life as much as possible, but that account remains thanks to SSO.<p>Some SSO services don&#x27;t give you an easy way to change how you login so you could be stuck.

You can have many copies of your password manager database in many places, but you have only one Google. If you lose one thing, what would you rather lose? If you lose a password database, restore a backup. If you lose access to Google, what then? You can&#x27;t restore a backup of Google. Stick around HN long enough, and within a week, you&#x27;ll read stories of people losing access to their Google accounts for unexplained reasons (aside from a robot not liking them).

* Never ever use Google SSO. If Google locks you out, there is no recourse and you lose everything.<p>* Use your own domain, but don&#x27;t use Google Domains as the registrar. If Google locks you out, you use everything.<p>* Don&#x27;t use Gmail as the admin account of your domain registrar. If Google locks you out, you lose everything. But don&#x27;t use your own domain email as the admin account of your domain either. It&#x27;s ok to forward to your Gmail account, as long as you can access the other email account when Google locks you out.<p>* Don&#x27;t use Gmail as the contact address of your credit card on your domain registrar. If Google locks you out, you will miss notifications of payment problems.<p>* Backup your Gmail, Google Drive, Photos, Calendar, Contacts, etc. to somewhere else. I recently purchased a Microsoft 365 account for this purpose, $70&#x2F;year for 1 TB of storage. Ironically Google is making me spend money on other providers because of Google&#x27;s complete lack of customer support and their rapidly degrading level of trust.

I would choose a password manager.<p>With Google SSO you will always be dependent on their services, if they get down, they get hacked (which is very unlikely at the moment, but things might change) or someone compromises your google account you will be lost.

Do not use Google SSO. It&#x27;s a single point of failure over which you have no control. Why put yourself in a position where getting locked out of one account locks you out of everything else?

The other comments do a good enough job explaining why not SSO.<p>I&#x27;m a very happy 1Password customer, but put in the place of answering what you should really do: self-hosted BitWarden. Geo- and vendor-redundancy, local hard backup.<p>Whatever you do, don&#x27;t use the Chrome password manager.

Don&#x27;t rely on Google. The company has proven to be unreliable again and again, and their interests (as an advertising company) cannot align with yours, as a user and a citizen.<p>I advise to<p>- get your own domain for cheap. I have &lt;lastname&gt;.contact for a few $ and I&#x27;m happy with it.<p>- find a trusted email service provider (e.g Fastmail) to host your emails. This allows you to change providers at any time, without the need to inform all your contacts. I just switched from Protonmail to Fastmail and the move took me a minute or two, and I had to do nothing except change the domain configuration and use the Import tool to transfer the messages, calendars and contacts.<p>- Choose a good open-source synchronizing tool such as Syncthing (fabulous!) and if non suits your needs, fall back onto a reliable cloud service (e.g Dropbox).<p>- Pick a good, open-source password manager (I use KeePassXC) and sync it across your devices with the tool you just chose. Syncthing is perfect for me because KeePassXC can easily merge any conflict in a single click and I have all my databases available on my devices. You can save them in separate folder if you don&#x27;t want to have your passwords available on, say, your personal and work devices. Tip: KeePassXC can open and unlock multiple databases at once: <a href="https:&#x2F;&#x2F;keepassxc.org&#x2F;docs&#x2F;KeePassXC_UserGuide.html#_automatic_database_opening" rel="nofollow">https:&#x2F;&#x2F;keepassxc.org&#x2F;docs&#x2F;KeePassXC_UserGuide.html#_automat...</a><p>The benefit of a password manager is that you can<p>- track all your account in one place, e.g which address is associated with which service<p>- audit your passwords (strength, uniqueness…)<p>- review each entries history (revert to old password, recall old logins…)<p>- store data related to your accounts (member ID, personal notes…)<p>- attach files (I&#x27;m saving some QR code in my databases, for loyalty card for instance)<p>- keep misc confidential info such as digicodes, credit card details, Wifi passwords…<p>I don&#x27;t know any of my passwords except those of my devices and of my passwords databases. I let the manager generate them for me and make sure I have multiple backups of my databases.<p>I also use andOTP for 2FA codes, to separate them from the passwords. But andOTP support auto backups so I can quickly restore everything if I ever lose my smartphone (backup secured with OpenPGP, whose password is stored in KeepassXC of course).

I try to keep my online life as decentralized as possible. Thus, multiple emails on multiple providers, and never use SSO unless it is at work.

Remember that one wrong action (or even none) might get your google account permanently blocked without any recovery options.

I use a password manager and would recommend you to do so too. Depending on a SSO provider just seems to risky to me right now, considering how easily you might lose access to your account. Of course, you also need to use your own domain for your email address.<p>2FA is also something I keep thinking about. What if I lose access to my phone? Does it really make logins more secure, considering that all my passwords are uniquely generated for a service? Do I want to do the extra step?

To echo others, absolutely do not use Google SSO for anything you care about.<p>Not just google, do not use any third party authentication (Google, Apple, Facebook, etc) on any account you want to retain. (Apple is perhaps a bit less bad than Google &amp; Faceboook, but you can find horror stories of locked Apple accounts on HN as well.)<p>When you do that, the account on the other site is tied to your google(apple&#x2F;facebook&#x2F;etc) account. If google(apple&#x2F;facebook&#x2F;etc) randomly decides to block your account one day for no reason then suddenly you&#x27;re locked out not just from your google(apple&#x2F;facebook&#x2F;etc) account but from all unrelated accounts where you used their login.<p>So password manager all the way, with unique accounts on every site (and strong long unique passwords of course).<p>You&#x27;ll also want to use an email address in a domain that you own, so you can&#x27;t be locked out of that either.

You should use email and password stored in a password manager. If you put all your eggs in google don&#x27;t be surprised when they delete your gmail account for no reason with no support for you to get it back.

I was trying to get a FHO Loan as of last year and i Didn&#x27;t meet up with the minimum credit score that was required which was 520 i think .. yeah 520 and i had a poor credit of 430 , thought of what to do to boost up my credit but all i did was to no avail not until I was referred to Virtualhacknet@gmail.com , he told me that it was just going to take him 4 weeks because he had a lot doing at that time and to my greatest surprise he got my credit to a wh*ping score of 870.. I&#x27;m so excited writing this

Bitwarden self-hosted on Digital Ocean is pretty easy to set up. Then you have an open source password manager that you can still sync across multiple devices without having to worry about adding another tool like Syncthing to the mix. Since you&#x27;re hosting it, it&#x27;s a much smaller target although it&#x27;s up to you to keep it up to date.

I think a combination is good: - Browser remembers passwords to sites I don&#x27;t care about - Google SSO for work-related when possible - Yubikey-backed password store for all important passwords<p>Main motivation is, that when I switch job I can&#x27;t accidentally keep access to any tool since my access to the Google work account is revoked.

Never use Google login, or any other third party login, if you can avoid it. There’s no reason to get them involved. I understand you Google login is very secure but what realistic threats are you guarding against? If you’re an average person, strong unique passwords and MFA is enough.

No mentions of TOTP at all? FIDO is cool and all, but TOTP share is still much bigger.

I really dislike Google SSO because it doesnt seem safe and has no advanced features like password sharing, or support of saving information outside of credentials and payment info.

- SSO for work accounts where available. The infra is maintained by the company so it should be as easy as possible for you to use it.<p>- Independent user accounts (with a password manager) for personal stuff.

Centralized authentication puts all your eggs in one basket, while password manager splits risk by not sharing passwords across use-cases.<p>That said, I don&#x27;t see why you shouldn&#x27;t do both.

What&#x27;s worse is you cannot remove google app or _YOUTUBE_ as a 2fa. Which is terrifying they&#x27;re adding new U2F methods without explicit permissions.

SSO is good for enterprise use, but manage your own credentials in your personal life so you&#x27;re not dependent on unreliable Google.

Password manager. You&#x27;re in control.

There are a lot of people here suggesting that Google&#x27;s SSO should be avoided.<p>Those people are wrong.<p>If your email address ends in @gmail.com, then you don&#x27;t control it, and have committed to tying your identity to Google&#x27;s whims. <i>And that&#x27;s okay!</i><p>There are certainly some issues with Google unilaterally blocking access to accounts, but (1) this is extremely rare and (2) honestly, you&#x27;re screwed even if you&#x27;re using a password manager in that case.<p>Why? Because &quot;password reset&quot; is effectively SSO tied to your email address. It&#x27;s just less secure and harder to use.<p>Seriously – under the covers, OAuth and other SSO flows are virtually the same as the process of opening an email and clicking on the link, except that they&#x27;ve been vetted by security researchers where &quot;reset password&quot; emails are almost never actually secure.<p>Password managers, for the vast majority of people, are confusing, unreliable, and even dangerous. Backups are hard to manage, and people often get it wrong. Forget your GMail password? Google will accept government ID and get you back in. Forget your password manager&#x27;s password? Too bad, you&#x27;re out of luck. The latter is <i>vastly</i> more common than Google blocking people and refusing to let them back in.<p>To be fair to HN, there are a few good points in the responses here:<p>- @linsomniac does raise the good point that you&#x27;re likely to need a password manager in any event, since some sites don&#x27;t support SSO.<p>- @jaywalk points out that if you have an email address on a domain that you own, you&#x27;re not dependent on Google in case they refuse you service. It&#x27;s worth noting that in this scenario, using Google&#x27;s SSO is still fine – if they lock you out, you can still access any accounts you used SSO to sign in to by using password reset. I have yet to see a site that doesn&#x27;t allow switching from SSO to using a password.<p>One thing to add is that you should <i>never</i> use Twitter or Facebook SSO; if you do, and get locked out of (or want to delete) your account on either service, there&#x27;s no recourse whatsoever, and there&#x27;s no way to switch to a password because your account often isn&#x27;t tied to an email address if you go with Sign-in with Facebook. Same goes for LinkedIn and other similar &quot;Social Sign In&quot; systems.

Most sites have a forgotten password feature so an attacker can gain access if they have access to your email.<p>Some sites don&#x27;t store passwords very well.<p>So SSO is a good choice when offered and gives you the ability to revoke sites.