Of the following two approaches, which is “more secure”, under which circumstances, and why? In other words, please compare the security risks of these two approaches:
- Log in to an OAuth provider such as Google or Facebook using a master passphrase; then use OAuth/OpenID to log in to other services via that OAuth provider.
- Use a password manager with the same passphrase; have it generate and auto-type a separate random password for each service.
An obvious similarity is that in both cases, only a single master passphrase needs to be remembered by the user. This question explains how OAuth and OpenID work and why they’re considered secure, but it doesn’t compare it to a password manager.
From my perspective as a user, OAuth and password manager solve the same problem of not having to enter separate passwords (or any passwords at all) when logging in to various services. OAuth does it by “reusing” my login into the OAuth provider (I understand the technical details are more involved, but that’s how it looks to me as a user). A password manager does it by automatically typing in the password for me.
Either way, I only need to enter a single master passphrase: either to the OAuth provider or to the password manager.
I’m trying to decide when to use which solution. To do that, I want to understand their security implications more in depth (and compare them where possible).
OAuth vs separate accounts (with separate passwords), as noted by @schroeder , is one aspect of this. But a password manager is necessary to automate the password entry, and adds its own layer of security risks. So it’s also an important piece of the puzzle, I think.
(I apologize if this question looks silly to the more security-educated folk here.)