Photo of Terence Eden. He has a beard and is smiling.

I have 800 passwords

· 10 comments · 500 words · Viewed ~8,355 times.

I've started using BitWarden - the open source password manager. As I've been binge-watching Marie Kondo, I thought it was about time that I deleted all the accounts that I no longer user.

I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷‍♂️.

I scanned through the list and deleted old bank details, failed social networks, and obvious duplicates.

I'm left with seven-hundred and ninety-five different login details!

Bitwarden vault showing 795 login details.

How has it got this bad?

Partly it is my fault. I seem to have three different passwords for PlayStation. I'm not sure which is the main one, and I'm too afraid to delete the others in case they are important.

Some is the fault of companies which insist on separate logins for their website account, discussion forum, and help centre.

I've been online since the 1990s and have accounts all over the place. I have no easy way of knowing which of my accounts still work.

Is this actually a problem?

I don't trust centralised logins. If everywhere offered, say, Twitter logins - then I've put all my eggs in one basket. If the login provider breaks, or goes out of business, or blocks me - then I've lost access to everything!

It also means that one provider can't track me around the net. I don't want Facebook knowing every time I log on to my electricity provider's site.

But... It puts the onus on me to be responsible. There are risks associated with password managers - but I doubt I could remember eighty complex passwords, let alone eight-hundred.

(I know some people recommend a password algorithm like pass1234-fb for Facebook and pass1234-tw for Twitter - but this doesn't scale when sites ask you to update your passwords, or have different complexity requirements.)

Can this be fixed?

I don't know which companies have merged or vanished. It's tedious going through every account testing whether my login works.

My friends in WICG have a solution for this. A new "well-known" resource called "change-password".

Basically, websites should have a page called /.well-known/change-password. If you visit twitter.com/.well-known/change-password, you'll be taken to a password change page.

A password manager can use that to test whether my password can be changed - that might tell me if a service is still live. But given that the proposal doesn't yet have wide support, there will be lots of false negatives.

So I am left with two options:

  1. Accept the clutter. Live with the pain of searching through nearly a thousand passwords every time I want to log in somewhere.
  2. Spend a few weekends deleting the accumulated crud of a few decades.

Does this password spark joy?

Share this post on…

10 thoughts on “I have 800 passwords”

  1. says:

    Surely the point of a password manager is that you don’t need to worry about it - the passwords are presumably strong and unique, and the tool will automatically retrieve the correct one when you visit a site, so does it matter?
    Reply

    1. says:

      Ideally, yes. But in practice it doesn't always work like that. For one thing, I've noticed both LastPass and BitWarden slow down the more data they have in them. Which makes using even common sites a bit annoying. There's also the fact that I have many duplicates. For example, I've somehow acquired a dozen Samsung accounts from all various services they have. So when I go to one site, I have to work out which of the duplicates is the up-to-date one. Finally... just so much clutter!
      Reply

  2. Andrew McGlashan says:

    BitWarden doesn't let you do a simple search when looking for a password? There is no way I'm going to use OAUTH with FB, Twitter or anyone else logging in as me; if it is an option for an app or website, then I always go with a new login. And it is good that you might need 3 distinct logins for a service, one for the service itself, one for support forums and another for general forums. If any of the supplementary logins gets owned, then the service itself may still be safe and secure (unless there is a close link between those 3 passwords). Besides, all you need to remember is ONE password and that is for your password manager, heck you don't even have to remember that, you can have a derivation that gives you a complicated password and then copy/paste that in to your manager. You shouldn't need to know any password. An interesting setup for a set top box here in AU, an app on that device wanted a login, but there was a related website login as well which knew the email contact address. The app on the device gave an option to login via email, so I took that option rather than keying in a long and secure password to the device. As soon as you can say boo, an email arrived and I logged in by clicking on the expected email's link for the service. Bingo, the (hard to enter strong passwords) device no longer needed me to login to it. There is also another option coming down the track, some are already using it, but it's really not anywhere near prime time now and that is Steve Gibson's Squirrl (SQRL) -- nothing to do with QR codes.
    Reply

    1. says:

      Yes, of course BitWarden lets you search. But when multiple services share similar names, picking out the right one can be tricky. I could get a magic email link for each service - but that's generally slower and means my email account is the single point of failure. Looking at SQRL, it is QR code based - which is fine - but still requires me to have a phone, and an app, and to have a network connection on my device. It's a clever system, but seems a bit brittle to me.
      Reply

      1. Andrew McGlashan says:

        Yes, I think the doco still needs updating; he is working on it, but he has been working on it for quite a long time. The current doco may have been updated, but if so, it would only have been done very recently.
        Reply

  3. says:

    Crazy idea... delete them all. Whenever you need to login to a service you use... just recover the password via email. and generate a new one eventually you'll get a list with only the ones you actually use. On other perpective if a password manager can't deal with 800 passwords, maybe there's something wrong with the password manager.
    Reply

    1. says:

      That assumes that I still have access to all my old email addresses. Not sure that I do! Nor do I remember which of my email addresses I used to register on the service. The password manager can cope with 800 entries - but I can't! Searching through lists of duplicates is boring and stressful.
      Reply

  4. kansuke says:

    I had almost 900 password when I imported all my Firefox passwords to 1Password. I removed all duplicates and websites that don't work anymore and have 565 now. Actually I visited every site I have remembered and checked if the password still works. This allowed me to remove old (or rebranded) services and remove duplicates (every time I was checking if there was another password stored for this website). I also changed all my passwords to long&unique as I had a lot of duplicate passwords. Do this for 10 sites a day and it won't take that much time. Really recommend.
    Reply

  5. says:

    I can’t say I really agree with your proposed solution. I agree that there is a problem but I think we’re looking at different threat models here. I believe that there is a better way to use Bitwarden and address user access control within websites and other ecosystems.
    Reply

What links here from around this blog?

  1. A long list of 2FA tokens. I have Thirty-One 2FA codes
  2. A long list of 2FA tokens. I have 4% 2FA coverage

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">