> login details for the 337 accounts I've made—from pizza delivery and
airlines to social media and online shopping over more than a decade
online.
That's a pathological lack of account management and pruning. Likely
less than 100 of those are still active and the author will probably
use less than 50 of them ever again. A better strategy is to simply
not use services that request you "set up an account", or treat them
as disposable and set up a new one each time you need an obstinate
online service.
Edit: Do please have the good manners to make a cogent argument
instead of down-voting what you merely disagree with. Is it not
apparent that simply having so many accounts is, in itself, a serious
security problem you could be addressing?
The reason you're getting downvotes is because your comment is irrelevant. The point of the article is the transition of passwords to passkeys. Minimizing the number of accounts you have has absolutely nothing to do with that. If the point of the article was about optimizing your online security posture, and passkeys as a method for that, then your comment would be more relevant.
The reason no one replies and just downvotes, is because we don't want to clutter up the discussion with even more irrelevant comments. Usually I'd do the same, but for the chance that you are really commenting in good faith and not a troll, I thought I'd present you with a learning opportunity.
It's fine that you found that to be the singular "Point" of the
article. Discuss that if you like. But no, sorry, articles do not come
stamped with "This is the point from which you will not diverge". My
remarks are both relevant and valid and I do not wish you or anyone
else to tell me what you think the "Point" of the article is. These
comments are made in good faith (please don't bandy specious
accusations of trolling) to address what I and many others consider a
widespread misunderstanding around password security.
I agreed with you, but I kept quiet because I am not a sensible person and I didn't want to make you look bad. But yes, my immediate reaction to the article was "just don't sign up for things, have a small number of passwords for a small number of vital things, no problem."
Somewhere I have a page in a notebook with 20 or so passwords written down (in the basic cipher I've used since I was 12). If this was stolen, after some effort, the thief would be able to access things like ... a forgotten Github account, my abandoned efforts to learn from Duolingo, and a Reddit account I haven't used for two years. I would be mildly irritated. I am happy with this arrangement.
> my immediate reaction to the article was "just don't sign up for
things, have a small number of passwords for a small number of vital
things, no problem."
I recently interviewed a bunch of people in the age range of 30 to 70
on "personal cybersecurity". A surprisingly large number, no, in fact
the overwhelming majority though the same way as you... once you get
to the limits of your memory with passwords it's dangerous and
counterproductive to reach beyond that and it's time to cull and
prioritise according to "attic theory" :)
Unfortunately many online services don't make it easy to delete
accounts, nor do they time out after a sensible period like one year.
> Somewhere I have a page in a notebook with 20 or so passwords
written down (in the basic cipher I've used since I was 12)
Before anybody tells you that "using a basic cipher" is weird or
eccentric, maybe half of the over 50s I spoke to, all regular folks,
told me they use the same paper notebook kept in a safe place at home
plus some obfuscation. Also about "two dozen" (24) accounts seems the
average pool.
Any more than that and I think the system is working backwards,
placing an undue security onus onto the person and not the service.
Passkeys have their use (I keep some super important pass phrase
protected ssh keys somewhere physically safe). And some people need
to maintain a very large collection of access tokens, like if you're a
system administrator and that's your job.
But I think creating a tower of cards that enables people to maintain
over 300 accounts for casual, personal use, is a disservice and
actually encourages bad security practices.
I think people are reacting to what seems like an attack: the implication that having hundreds of accounts and not studiously pruning them is ‘pathological’. But I think your point is actually a valid one - yes, you can over time accumulate vast numbers of logins, but do you really need to hoard the login details? The majority of the passwords I have in 1Password are in the ‘Never Used’ section. I am definitely not going to spend the time to delete these accounts with the provider, but some I probably could have avoided creating in the first place and it’d probably improve my quality of life if I just delete the entry in 1Password and rely on email recovery or a new account if I ever went back. But, I’m not going to do that, because it’s really not much hardship and to be honest I appreciate the breadcrumb trail of my life on the internet for the past 30 years.
As for the security implications, if you want to hack the account to some magazine I was subscribed to 10 years ago, supply new payment details and reactivate my subscription, go wild. If you’re losing sleep about that sort of thing then it really _is_ pathological.
"Pathological" is one of those words that lives in both technical and
psychological space and I was careless. I meant the security
situation was pathological, not that the poster "is a nutter". My
apologies to OP.
If I am "attacking" anything it's this casual normalisation of
over-extending, invoking more complexity and solutionism and misplaced
trust in elaborate systems when simple everyday methods actually work
well enough for 99% of cases.
> As for the security implications, if you want to hack the account to
some magazine I was subscribed to 10 years ago, supply new payment
details and reactivate my subscription, go wild.
Here. I suggest think again. There are many threat models where your
innocuous grocery account from 10 years ago is a useful stage to a
bigger hack. Can you remember all the details you entered there? Past
addresses, phone numbers, shipping addresses?
I disagree, I also have a large number of accounts (in online shops for example) that I forget about and 3 years later when I make a purchase in the same shop my password manager reminds me I already have an account there.
Just to be clear, you're disagreeing that having a huge number of
dormant accounts is untypical, or disagreeing that a huge number of
dormant accounts you've forgotten about is a security risk in itself?
Both. I don't mind creating accounts for shops that have what i want, and maybe buy once every three years (e.g. clothes, photo gear...). So I end up having a couple hundreds of accounts.
Are they a security risk? Don't think so, as I use a different password for each one, and a different TOTP. And always pay a single use card.
What you seem to be suggesting is "buy everything on Amazon, and don't use small shops". (Incidentally I don't use Amazon at all because they don't support single use cards, and they are always trying to sell me the Prime in sneaky ways).
If a secure passphrase was used originally what is the security risk? I have 800+ accounts in my Bitwarden and I fear not as each password is long and randomly generated.
That's a pathological lack of account management and pruning. Likely less than 100 of those are still active and the author will probably use less than 50 of them ever again. A better strategy is to simply not use services that request you "set up an account", or treat them as disposable and set up a new one each time you need an obstinate online service.
Edit: Do please have the good manners to make a cogent argument instead of down-voting what you merely disagree with. Is it not apparent that simply having so many accounts is, in itself, a serious security problem you could be addressing?