I'm sure this is worse than using lastpass in some way

but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login

▲

stanac 4 hours ago | parent | next [-]

This works if the account doesn't have 2FA. On my last side project app users can login only via email OTP. There are security downsides with that, someone can send phishing link and use OTP submitted to the fake site, but the app doesn't store anything sensitive (it's a game which tracks your progress) so I guess it's not a major security risk.

▲

seb1204 4 hours ago | parent | prev | next [-]

I got caught out as I had no longer access to the old phone number that was now used to send 2FA text.

▲

fusslo 4 hours ago | parent [-]

oh dang that's not good. I've had the same phone number since 2006 so I didn't really think about it

	▲	antiframe 3 hours ago \| parent [-]
		But the phone number you have is not 100% in your control. I had AT&T flub something and I lost my number and they assigned me a new one (I was chanting my plan just after they did some merging with someone). Granted its unlikely but I would still use defense in depth and not have password reset be my only login method.

▲

vel0city an hour ago | parent | prev [-]

This is why a lot of services have just moved to using email with magic links to log people in.

In the end for a lot of services controlling your email is defacto controlling the login.