You aren't going to have all your accounts able to use Google, not everyone offers it. So you are going to need to use a password manager in any case. I use Bitwarden and like it, my wife uses it but is only ok about it.

Now, as far as Google vs. Password manager on sites that do support it: Google can be convenient, but there is the infrequent, but apparently very real risk of Google locking your account, and through that also locking these other accounts. I'm not very concerned about that risk personally, but I also would be very reluctant to put important accounts like banks and bills on a Google SSO.

To be clear: I'm not a big "google is evil" guy, but "I'm locked out of google" seems to be a regularly recurring story, but it clearly is low frequency. I do know that when things go wrong, Google is often a black box with little recourse or even any way to contact someone there, especially, I imagine, if your account is locked.

I, personally, almost always use a password manager rather than a Google SSO, just because I have it set up an it's almost as easy as the SSO.

> there is the infrequent, but apparently very real risk of Google locking your account

Or the very real scenario where you've been using a free Google Workspace account (is that what it's called these days) with a custom domain, and suddenly Google wants to start charging you for it. Meanwhile you've "logged in with Google" using that account across many, many sites and Google hasn't offered anyway to migrate away from that. So you either pay up or lose access to any of those accounts.

1. Email on your own domain. You can still use Google (or any other service) for this, but having your own domain means you're not dead in the water if your provider decides they don't like you.

2. For accounts on large websites (big targets) use a unique email address that is only used on that website. Obviously passwords should never be reused, which leads to:

3. Password manager. Just do it.

4. Use the highest security options available at each website. If it's just 2FA, do it. Yubikey is great if they offer it.

Note that email on your domain opens you up to a different sort of risks along the lines of domain hijacking / registrar account takeover. However, if you pick a good registrar you should be okay, and also there are commercial/legal remedies available.

Use Cloudflare as your registrar. They have strong account protection mechanisms available.

#2 is always fun when you're dealing with humans directly. "Yes my email is <yourcompanyname>@<mydomain>.com. No I don't work for the company, it's so I can track where emails come from. Yes I work in tech."

A lot of orgs will (for security reasons) treat your Google OAuth login, and a email+password login as two distinct accounts, even if they are on the same email address.

So it is possible that if Google shuts your account, and you migrate your email to a different provider - you will still lose access to your service account.

Well, that's one reason why using Google SSO wasn't on my list of things to do.

Misread your comment, my bad.

> Email on your own domain. You can still use Google (or any other service) for this, but having your own domain means you're not dead in the water if your provider decides they don't like you.

And if you give up your domain then someone just have to buy it and use the "forgot password" option :D

You do have some additional management overhead, but a good registrar will bug you well before your domain expires if they aren't able to auto renew it for some reason. You also have a 30 day grace period after it expires before someone else grabs it.

They need to bug me by mail and by phone. Last time my payment couldn't be processed, I lost email for a week (didn't notice because I was reading email in an email client that pulls from both my custom domain and gmail). Once I brought the domain back up, many of the missed emails did come through including ones from the registrar saying that I needed to fix my payment info...

I had a similar scenario happen, where my domain expired without me realizing and my incoming emails slowed down as DNS caches expired. I finally realized it after a few days when I hadn't received an email that I was expecting, and once I renewed the domain I got a flood of emails that I had missed.

After that, I was much more careful about where my domain registration emails go.

I only noticed because I was expecting a specific email too. I should have realized sooner but I was blaming not getting account confirmation emails from a service I was trying to register for on the service itself. I remember that I was even trying multiple browsers and devices thinking that the client was failing to properly send something to the server!

.. Can you put a reminder in your calendar? So you re-up before expiration?

Leave the automated charge for a backup, but do the important stuff yourself.

I shouldn't have said they "need" to. More like it would be very much appreciated if they did. I've made sure to keep track of that now, but I think they could do a little more to help people, who haven't learned from making the mistake yet, avoid losing their domains.

Funny thing is that I had a domain with a different registrar about 9 years ago and I couldn't get them to stop mailing me expiration reminders. They kept coming well after I intentionally let the domain expire.

Don't build your castle on someone else's property.

If your Google account gets suspended for some reason, that will likely take you down for all other Google systems.

You don't want to have your entire universe shut down just because one person out there decided that they didn't like you and complained to Google that you were spamming them.

This kind of thing has happened before, and will happen again. Do you want to take the risk it will happen to you?

This is how I do everything. I have a *@domain.tld address that lands in a single account and I track spammers and breaches.

Password manager without question (just make sure it is one with strong security)

SSO to me exists for the sole purpose of keeping you locked into their platform. I have a "professional" email that I previously hosted on google with gsuite. I used that account a few times as SSO.

Now even though I have moved that email off of google, I continue to pay gsuite just so I don't loose access to that account and anything I logged in with it.

I have made every effort to remove google from my life as much as possible, but that account remains thanks to SSO.

Some SSO services don't give you an easy way to change how you login so you could be stuck.

It's a bit of a hack but you should be able to convert that Google account to Google Cloud Identity which is free for up to 50 users. You'll lose gmail, etc. but you'll keep playstore purchases.

https://www.reddit.com/r/gsuite/comments/s7t45q/g_suite_lega...

Which PW managers have weak security?

You can have many copies of your password manager database in many places, but you have only one Google. If you lose one thing, what would you rather lose? If you lose a password database, restore a backup. If you lose access to Google, what then? You can't restore a backup of Google. Stick around HN long enough, and within a week, you'll read stories of people losing access to their Google accounts for unexplained reasons (aside from a robot not liking them).

When I think of this shouldn't then people consider google business account? Which costs money but has also support? Doesn't then risk of random lock out go to zero? I don't know if anyone can create account there, but it just came on my mind.

Wow. I need to google this. Never seen any of those stories. Thanks.

Citations required. Are you referring to Android spam developers?

There have been big deal stories of people losing access to their Gmail accounts and Google's response is basically "tough shit.". There are also a lot of them that don't get much traction.

https://news.ycombinator.com/item?id=22294159 https://news.ycombinator.com/item?id=2033474 https://news.ycombinator.com/item?id=17745761

You can dig through the rest: https://hn.algolia.com/?q=lost%20access%20to%20gmail

Not sure if these are spam devs, but these are from fairly established accounts:

https://news.ycombinator.com/item?id=30401241

https://news.ycombinator.com/item?id=30345201

https://news.ycombinator.com/item?id=29428922

https://news.ycombinator.com/item?id=26061935

https://news.ycombinator.com/item?id=23183821

https://news.ycombinator.com/item?id=22294159

https://news.ycombinator.com/item?id=17745761

https://news.ycombinator.com/item?id=17428707

This is insane of course, but I have no idea how to avoid Google in the modern tech world, especially if you use the Android platform.

> This is insane of course, but I have no idea how to avoid Google in the modern tech world, especially if you use the Android platform.

I don't have a google account tied to my android-based phone.

The only drawback I'm aware of is that playstore doesn't work. So I download the apks directly and install that way, for things I can't install via one of the alternate app stores.

* Never ever use Google SSO. If Google locks you out, there is no recourse and you lose everything.

* Use your own domain, but don't use Google Domains as the registrar. If Google locks you out, you use everything.

* Don't use Gmail as the admin account of your domain registrar. If Google locks you out, you lose everything. But don't use your own domain email as the admin account of your domain either. It's ok to forward to your Gmail account, as long as you can access the other email account when Google locks you out.

* Don't use Gmail as the contact address of your credit card on your domain registrar. If Google locks you out, you will miss notifications of payment problems.

* Backup your Gmail, Google Drive, Photos, Calendar, Contacts, etc. to somewhere else. I recently purchased a Microsoft 365 account for this purpose, $70/year for 1 TB of storage. Ironically Google is making me spend money on other providers because of Google's complete lack of customer support and their rapidly degrading level of trust.

> there is no recourse and you lose everything.

This isn't quite true. Many sites will allow you to recover your account via email. So even if your Google account is closed there would be a recovery route.

Of course some sites do require the same Google account ID, and once that is closed you are screwed. Oh, and I hope you aren't using a GMail account. Then you are really screwed.

I would choose a password manager.

With Google SSO you will always be dependent on their services, if they get down, they get hacked (which is very unlikely at the moment, but things might change) or someone compromises your google account you will be lost.

If they just block your account due to an automated process run by bots/ai. No customer support, no one to tell your story.

Very much this. I see users getting locked out of Google account often, or Google changing their policies (like the recent change of free G Suite accounts to premium ones) which would mean you'd be locked out of most accounts.

Are there big email providers, maybe paid, where potentially should be more reliable. Meaning at least they have a customer-service and you will not get locked out by the script?

I've heard good stuff from ProtonMail. It also adds a lot of security to email, if this of concern to you.

Do not use Google SSO. It's a single point of failure over which you have no control. Why put yourself in a position where getting locked out of one account locks you out of everything else?

The other comments do a good enough job explaining why not SSO.

I'm a very happy 1Password customer, but put in the place of answering what you should really do: self-hosted BitWarden. Geo- and vendor-redundancy, local hard backup.

Whatever you do, don't use the Chrome password manager.

Don't rely on Google. The company has proven to be unreliable again and again, and their interests (as an advertising company) cannot align with yours, as a user and a citizen.

I advise to

- get your own domain for cheap. I have <lastname>.contact for a few $ and I'm happy with it.

- find a trusted email service provider (e.g Fastmail) to host your emails. This allows you to change providers at any time, without the need to inform all your contacts. I just switched from Protonmail to Fastmail and the move took me a minute or two, and I had to do nothing except change the domain configuration and use the Import tool to transfer the messages, calendars and contacts.

- Choose a good open-source synchronizing tool such as Syncthing (fabulous!) and if non suits your needs, fall back onto a reliable cloud service (e.g Dropbox).

- Pick a good, open-source password manager (I use KeePassXC) and sync it across your devices with the tool you just chose. Syncthing is perfect for me because KeePassXC can easily merge any conflict in a single click and I have all my databases available on my devices. You can save them in separate folder if you don't want to have your passwords available on, say, your personal and work devices. Tip: KeePassXC can open and unlock multiple databases at once: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_automat...

The benefit of a password manager is that you can

- track all your account in one place, e.g which address is associated with which service

- audit your passwords (strength, uniqueness…)

- review each entries history (revert to old password, recall old logins…)

- store data related to your accounts (member ID, personal notes…)

- attach files (I'm saving some QR code in my databases, for loyalty card for instance)

- keep misc confidential info such as digicodes, credit card details, Wifi passwords…

I don't know any of my passwords except those of my devices and of my passwords databases. I let the manager generate them for me and make sure I have multiple backups of my databases.

I also use andOTP for 2FA codes, to separate them from the passwords. But andOTP support auto backups so I can quickly restore everything if I ever lose my smartphone (backup secured with OpenPGP, whose password is stored in KeepassXC of course).

I try to keep my online life as decentralized as possible. Thus, multiple emails on multiple providers, and never use SSO unless it is at work.

Remember that one wrong action (or even none) might get your google account permanently blocked without any recovery options.

I use a password manager and would recommend you to do so too. Depending on a SSO provider just seems to risky to me right now, considering how easily you might lose access to your account. Of course, you also need to use your own domain for your email address.

2FA is also something I keep thinking about. What if I lose access to my phone? Does it really make logins more secure, considering that all my passwords are uniquely generated for a service? Do I want to do the extra step?

To echo others, absolutely do not use Google SSO for anything you care about.

Not just google, do not use any third party authentication (Google, Apple, Facebook, etc) on any account you want to retain. (Apple is perhaps a bit less bad than Google & Faceboook, but you can find horror stories of locked Apple accounts on HN as well.)

When you do that, the account on the other site is tied to your google(apple/facebook/etc) account. If google(apple/facebook/etc) randomly decides to block your account one day for no reason then suddenly you're locked out not just from your google(apple/facebook/etc) account but from all unrelated accounts where you used their login.

So password manager all the way, with unique accounts on every site (and strong long unique passwords of course).

You'll also want to use an email address in a domain that you own, so you can't be locked out of that either.

You should use email and password stored in a password manager. If you put all your eggs in google don't be surprised when they delete your gmail account for no reason with no support for you to get it back.

I was trying to get a FHO Loan as of last year and i Didn't meet up with the minimum credit score that was required which was 520 i think .. yeah 520 and i had a poor credit of 430 , thought of what to do to boost up my credit but all i did was to no avail not until I was referred to Virtualhacknet@gmail.com , he told me that it was just going to take him 4 weeks because he had a lot doing at that time and to my greatest surprise he got my credit to a wh*ping score of 870.. I'm so excited writing this

Bitwarden self-hosted on Digital Ocean is pretty easy to set up. Then you have an open source password manager that you can still sync across multiple devices without having to worry about adding another tool like Syncthing to the mix. Since you're hosting it, it's a much smaller target although it's up to you to keep it up to date.

I think a combination is good: - Browser remembers passwords to sites I don't care about - Google SSO for work-related when possible - Yubikey-backed password store for all important passwords

Main motivation is, that when I switch job I can't accidentally keep access to any tool since my access to the Google work account is revoked.

Never use Google login, or any other third party login, if you can avoid it. There’s no reason to get them involved. I understand you Google login is very secure but what realistic threats are you guarding against? If you’re an average person, strong unique passwords and MFA is enough.

No mentions of TOTP at all? FIDO is cool and all, but TOTP share is still much bigger.

I really dislike Google SSO because it doesnt seem safe and has no advanced features like password sharing, or support of saving information outside of credentials and payment info.

- SSO for work accounts where available. The infra is maintained by the company so it should be as easy as possible for you to use it.

- Independent user accounts (with a password manager) for personal stuff.

Centralized authentication puts all your eggs in one basket, while password manager splits risk by not sharing passwords across use-cases.

That said, I don't see why you shouldn't do both.

Password managers also put all your eggs in one basket: the master password to your PM!

There is after all a reason that it’s called 1Password!

Sure, which is why I would argue it isn't wise to put that basket online.

I also would enable MFA for any high value targets, so that a password leak alone wouldn't ruin you.

How would you do both, in this case? Either you create accounts per site, or use SSO, no?

Use SSO for low-value sites, things where you wouldn't be affected severely if you lost access to the account.

For high-value targets, create a stand-alone account, put password in password manager (preferably offline) and enable MFA. If MFA isn't supported, I would choose another provider if it is really high-value.

What's worse is you cannot remove google app or _YOUTUBE_ as a 2fa. Which is terrifying they're adding new U2F methods without explicit permissions.

SSO is good for enterprise use, but manage your own credentials in your personal life so you're not dependent on unreliable Google.

Password manager. You're in control.