HACKER Q&A
📣 lordofmoria

Anyone else constantly forget which SSO service they signed up with?


Curious if anyone else finds it increasingly difficult to play "SSO roulette" when logging into the long tail of infrequently-used services: did I use GitHub? Facebook? G Suite? Twitter? Or the secondary problem: "if I used Google SSO, which of my gmail accounts did I use?"

I definitely have my own heuristics (g suite for everything possible, github for "technical" sites, facebook as a throwaway, etc), but I've found myself increasingly "getting it wrong." Not to mention this is worsened by the fact that some sites automatically create a new account for you if you log in with a non-existing account: this means you often end up creating a NEW account, further screwing yourself over.

Anyone have any good hacks to solve this? I've started resorting to storing a blank 1Password entry even for sites I SSO with, simply stating the SSO account and email I used.

  👤 randomhodler84 Accepted Answer ✓
Stop using SSO, and use email aliases for each site. Eg: myname+context _at gmail. (Gmail ignores everything right of the + but it will be treated as the myname mailbox). This keeps emails unique and helps detect when sites leak your email address (and pwd hashes).

Generate complex passwords in a password manager like 1password. Store usernames and passwords with the site to allow auto filling or search and copy/paste.

👤 mtmail
We see that with our SaaS users. They use Google-auth, next day try to use the 'forgot password' feature. Or end up with two accounts because they have several aliases. On the one hand a best security practice is never to give a hint that an email is registered ("if an account is registered, we will send you an email") but for this scenario we made an exception and give a hint.
👤 dguo
1Password seems to have plans to provide a solution to this problem: https://www.future.1password.com/

> 1Password will remember how you log in to each account so you can get where you're going with a single click

👤 edoggie
I try not to use SSO accounts as much as possible, especially Facebook, since I have no idea what those accounts are sharing with the vendor. But I do find my self wishing for solution to remember which provide I used when I originally signed up if I did sign up with SSO.
👤 drudoo
I always sign up directly and store the information in 1password. With a custom domain I always use @myDomain.com.

What if your twitter/fb/google account gets suspended for whatever reason? All of a sudden you can’t login to a plethora of sites.

👤 dmart
Yes. I try to opt for non-SSO login whenever possible, or alternatively manually make a dummy 1Password entry with a username like “GitHub login”. I would like if 1Password could track OAuth redirects automatically but I’m not sure if it’s possible.
👤 ratg13
There is no reason to use any of these SSO integrations if you have a password manager.

Sign up via e-mail, save your password, and you're done.

Now you know exactly what you used to sign up with and you can stop giving data mining companies ways to track you.

👤 sharmi
There are a lot of recommendations here to stop using SSO. Unfortunately, there are enough number of sites that accept only SSO to make it impractical. One could go the route of I-refuse-to-use-any-site-that-does-not-provide-email-auth . This is something I have personally tried and find annoying to see sites that have only SSO (sometimes, only one provider that I do not even use). OTOH, if it something I really need or find interesting I fold and use SSO :(