Sometimes the most intriguing Office Hours conversations start with the simplest of questions. During our April 23, 2026 livestream one viewer brought up something that many of us have faced without ever thinking about it.
I am sure many of us see “Sign in with Google” (or any other similar single sign-on) and just click the button without a second thought. Aside from being convenient, what else does that actually do? Is it safe?
In this blog post we’ll talk about exactly that, how to keep your logins secure, and when is it better to create a new account entirely.
The viewer’s question: Sign in with Google or not?
What our viewer asked was very straightforward but sparked a genuine discussion. Here it is:
Generally speaking, when signing up online to something and it gives you the option to sign it with your Google, Apple, etc., what do you recommend? I'm wondering if it makes things more integrated than one would desire, or does it just make things easier for logging in?
In other words, is this type of social login just a convenience, or does it create unwanted cross-platform entanglement? This is mostly a privacy instinct than a security one, though. For many people, using a social login feels like quietly weaving your account together into a web you didn’t consciously choose to build.
The walled garden principle
When answering the question, Nathan was clear and direct: he prefers to set up new credentials for every account rather than log in with Google, Apple, etc.
I lean towards setting up separate credentials for each account just for security purposes. It's less of an attack surface. I mean, the Google account is pretty secure, but if it gets compromised, then now all these other 20 accounts are compromised, right?
This way, if the Google account you’ve used to sign up for all these other sites is compromised, all those accounts are now also vulnerable.
Conversely, separate accounts and credentials mean any breaches are contained; they don’t cascade. While this is a simple framework—new account every time—there's nuance that’s worth unpacking.
Social logins carry risks that aren’t immediately obvious
Account security is, without a doubt, the biggest concern when it comes to using a social login for numerous websites. However, it’s not the only one, and the rest are more subtle than that.
Firstly, there is more than one way to lose your social account than just getting it hacked. The social account itself can get suspended by the service providing it. Let’s say Google suspends your account. You don’t just lose access to that profile; you can potentially lose access to every other service you’ve connected it to.
Then, there’s the issue of data sharing between platforms. When you authenticate through Google, Facebook, etc., you aren’t just borrowing their login system. You are also agreeing to a certain degree of data exchange between platforms: name, email, address, profile photo, and sometimes more. That data sharing usually happens in the background and most people overlook it entirely.
Finally, social login providers may, in many cases, observe which services you are connecting to. For most people, getting tracked like that isn’t a major concern, but privacy has been becoming a much more discussed topic in recent years.
How to make it all practical: password managers
The honest truth is people choose the social login (regardless of the downsides) because of one thing: it’s convenient. Remembering dozens of unique, strong passwords is a massive headache, not to mention very impractical.
A password manager solves this entirely. With it, you can generate unique, strong passwords for every site, which are then stored securely and filled in automatically. All you ever need to remember is the master password for your password manager. This is where Nathan’s walled garden approach becomes realistic.
There are many good password managers, but we recommend Bitwarden (it has a solid free tier), 1Password, or Dashlane. Before choosing, though, keep an eye out for these things:
End-to-end encryption: This way even the password manager provider can’t read your stored credentials.
Cross-device syncing: Regardless of what device or browser you are using, your passwords will be available everywhere.
Secure sharing: If you are working with a team or in an agency, this is useful when you need to share credentials.
Two-factor authentication: The password manager itself should have 2FA support out of the box.
In the end, choose one which you’ll use consistently, but make sure that all of the things we mentioned in the list are covered. Or, at the very least, end-to-end encryption and 2FA.
Going further: 2FA and passkeys
We’ve mentioned 2FA a few times now, but there’s another term that gets used often as well: passkeys. What do those mean, though? It’s worth understanding them correctly to get a full picture of the best password security practices.
Two-factor authentication
Two-factor authentication (2FA) adds a second verification step beyond your password. That way, even if someone does get your password, they still can’t log in without that second step (factor).
The most common types of secondary factors are:
SMS code: You receive a one-time code on your phone. It’s a decent start, but not the best since there are ways around them.
Authenticator apps: Google Authenticator, Authy, 1Password, etc., generate one-time, time-sensitive codes on your device directly. Much more secure than an SMS.
Hardware security keys: These are actual, physical devices that you plug in or tap a device with. This is the most secure option, most often used by people with elevated security needs.
For most people, an authenticator app is the sweet spot: meaningfully more secure than an SMS, and much simpler to set up and use than a hardware key.
Passkeys
Passkeys are a newer standard that takes things a step further than 2FA. Instead of a password plus a second factor, a passkey replaces the password entirely. Instead, it uses a cryptographic key stored on your device and authenticated by your biometrics (face, fingerprint) or a PIN.
The upside is you never see this key or have to manage it yourself. Passkeys are also phishing-resistant by design since there’s no password to steal or trick users into giving up.
Support for passkeys is rapidly growing across major platforms and services, and if you can make use of them, you should.
When social logins are fine: the balanced take
Social logins have their place, of course. You needn’t use a password manager for every single account you create. It all comes down to evaluating the risk of losing that account.
If you are signing up for a newsletter, a casual community forum, or some tool you just want to try but may never use again, logging in with your social account is perfectly fine. Such low-risk or even throwaway accounts are perfect to use the social login feature since they wouldn’t cause much harm if compromised.
However, the case for separate credentials grows exponentially the more significant the account is. There’s a simple way of thinking about this. Ask yourself this question:
Would losing access to this account, or having it compromised, cause me any real problems?
If not, go ahead, use the convenient social login. If the answer is yes, though, it deserves its own credentials.
Nathan’s walled garden principle is a useful north star, so that no breaches ripple outward into everything else, but doesn’t have to be the rule. If you have any other questions ab out account security, or just want to learn more about web hosting, WordPress, and agency work, join us for Office Hours, every Thursday at 2PM EST.
FAQ
If I've already used social logins everywhere, is it too late to switch?
Not at all. You can migrate gradually. Start with your most important accounts (email, banking, work tools) and create dedicated credentials for those first. Most services let you add a separate password and then disconnect the social login without losing your account or data.
Can a password manager be hacked, and what happens if it is?
Password managers can be targeted, and some high-profile providers have experienced breaches. However, with end-to-end encryption, the stored passwords remain unreadable even to the provider; a breach of their servers doesn't automatically expose your credentials. Your master password and 2FA on the manager itself are your critical lines of defense.
Do passkeys work across all my devices, or am I locked into one?
Passkeys can sync across devices through platform ecosystems. For example, Apple devices share them via iCloud Keychain, Google does the same through its Password Manager, and some third-party password managers also support them. The main caveat is that cross-ecosystem support (e.g., switching from Apple to Android) is still maturing, so it's worth checking compatibility before going all-in.
What should I do if I discover a service I use doesn't support 2FA?
For low-stakes accounts, it's less of a concern. For anything sensitive, it's worth treating the lack of 2FA as a red flag about the platform's overall security posture. You can compensate slightly by using a unique, strong password (via your manager), but ultimately, if a service holds important personal or financial data and offers no 2FA, that's worth factoring into whether you trust it with that data at all.
