It's not pretty obvious; it's not obvious at all. For example, I just logged in to comment and realized it was time I changed my password.
I use uMatrix and (kind of) know what I'm doing. I ended up allowing all third-party domains temporarily just to change my password. Go take a look yourself at the ridiculous number of domains NOT named slashdot.org that slashdot.org uses.