You Want My Password? Seriously?
When teaching cyber awareness, we tell people to be protective of their login information, particularly their password. There are exceptions to the rule, but generally, even your tech department does NOT need your login to perform work on your computer or accounts. Attempts to solicit this information from you may be a phishing scam or the work of an insider threat.
What if a popular app wants your login information?
No, thank you.
In early April, reports surfaced that Facebook was prompting some users to provide their personal email credentials for verification purposes. This was an immediate red flag for the cyber security industry. The average user may not be aware that there is a difference between providing the login credentials to your personal email and using a “Log in with [service]” type option. The former is a poor security practice of asking someone to provide access to their account and the latter is an acceptable method of verifying someone.
We saw exactly why providing your email password is a poor security practice when it was confirmed later that Facebook did collect personal email credentials of 1.5 million users. These login credentials were used to collect the email contacts of these users and it was done without properly informing users of this data collection. Facebook claims the import was unintentional, but does it really matter once the data is taken?
By giving your information directly to an app like Facebook, you are essentially giving them the key to that account. What could someone do with your email login info? Well, to start they might download and read every email in your inbox, as well as contacts and files. In addition, if you linked other apps and services to that email, they may have access to those apps and data as well. Sounds invasive, doesn’t it?
A more accepted approach to email verification is for the app to send a one-time use link that verifies your control of your email account. Apps that ask for another account’s username and password in a form on their webpage should be a hard pass. Just say no. In fact, it wouldn’t hurt to send a comment to their customer support department letting them know that the practice is an invasion of privacy.
Log in with… or Continue with…
So what is the “Log in with…” option? If you want to log in to an app using a service you already have, such as Gmail, you will be presented with Gmail’s account login page and a set of permissions granted to the new app. Your username and password is transmitted only to Gmail’s app, and then Gmail sends the “OK” back to the new app. If you feel comfortable with the permissions, you can authorize connecting the app and use it as a login method.
One more thing to remember – always confirm your location on the web by looking at the web address before you enter your username and passwords. (Hey, if you’re not sure about web addresses, check out our browser extension, which displays the domain of the page in a streamlined way to help avoid confusion.)