Why You Shouldn’t Use Facebook to Log In to Other Sites



[ad_1]

I’m going to quit using Facebook to log in to apps and sites online. You should, too.

That’s the most reasonable way to respond to Facebook’s announcement last week that a security breach allowed hackers to infiltrate the accounts of at least 50 million users, and possibly tens of millions more. The hack gave attackers access to not just your Facebook account but also possibly the many accounts you used Facebook to log in with — services like Instagram, Spotify, Airbnb, Tinder, Pinterest, Expedia, The New York Times and more than 100,000 other places online.

I say “possibly” because neither Facebook nor third-party sites seem to know the precise extent of the damage. In a statement on Tuesday, Guy Rosen, Facebook’s vice president of product management, said the company had “no evidence” that attackers breached other sites through the hack, but that the company was building more sophisticated ways for sites to do their own deeper investigation.

But the mere possibility is highly troubling — and if the hack allowed access to any other sites, Facebook should be disqualified from acting as your sign-on service.

This is a classic you-had-one-job situation. Like a trusty superintendent in a Brooklyn walk-up, Facebook offered to carry keys for every lock online. The arrangement was convenient — the super was always right there, at the push of a button. It was also more secure than creating and remembering dozens of passwords for different sites. Facebook had a financial and reputational incentive to hire the best security people to protect your keys; tons of small sites online don’t — and if they got hacked and if you reused your passwords elsewhere, you were hosed.

Mr. Polakis allowed that there are tremendous convenience benefits and even some security benefits to a single sign-on. “Obviously, big companies like Facebook and Google have amazing engineers, and their security practices are generally ahead of the curve compared to other, smaller websites,” he said.

But no company, not even one as big and wealthy as Facebook or Google, can guarantee perfect security.

And in some ways, Mr. Polakis said, Facebook’s size and complexity work against its security. The Facebook hack, for instance, seems to have been caused by three different bugs acting in concert.

“The codebase of these services is massive,” Mr. Polakis said. “You have different teams working on different components, and they can interplay in different ways, and you can have a crazy hack that no one expects.”

The other danger to signing on to everything with Facebook is the threat of phishing. Even if millions of Facebook accounts hadn’t been hacked, people’s individual accounts are hacked all the time through online trickery. Single sign-on compounds the damage — whoever hacks your Facebook account gets access to everything else you tied to Facebook.

Why is a password manager a better way to protect yourself than signing on through a big platform? Password managers can also be hacked, Mr. Polakis said, but “compared to massive platforms that have millions of different lines of codes and different functionalities, a password manager has one specific job, and so it minimizes the chances of something going wrong.”

I asked Facebook for a counterargument to stop using it for signing on. A spokesman said Facebook’s sign-on was still more secure than the weak passwords that people create and reuse for everything.

Email: [email protected]; Twitter: @fmanjoo.

Interested in All Things Tech? Get the Bits newsletter delivered to your inbox weekly for the latest from Silicon Valley and the technology industry.



[ad_2]
Source link