Giving Away Your Passwords

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a little.

Unfortunately, the House voted down an amendment that would prevent employers from making this ludicrous request.  After reading the rebuttal, I’m hopeful that this legislation will make its way through in some form or another.

Thankfully, humans asking for your social media passwords during job interviews is a rare practice.

On the other hand, websites asking for your account passwords isn’t.  We call this the Password Anti-Pattern.   When a third-party website asks you to input your username and password to another service, like Facebook or Twitter, run for the hills!

Password Anti-Pattern

Notice how the site above is asking you directly for your Twitter password.  Bad!  What they should be doing is redirecting you to Twitter to authenticate in person, so to speak.  Like this:

OAuth (The Right Way)

Usually the intent of the website employing the Password Anti-Pattern is good – they’re not trying to be snoops (unless the site is actually an evil phishing site).   Rather, it’s likely they want to help you find your friends, import your photos, or in some way improve the experience of their application by connecting to others.

But despite the good intent, disastrous problems can arise.  Say you want to let App XYZ import your Gmail contacts.  The app asks you for your Gmail password and you happily hand it over.  Now you’re entrusting them to store that password securely, and the sad truth is, they’re probably not.

Now imagine you let 15 other apps do the same thing.  One of them is breached.  If you don’t change your Gmail password soon enough, they can lock you out.  What’s worse, most applications you use let you reset your password via email.  Thus we typically consider our email passwords keys to our castles.

Even if you do manage to change your Gmail password in time, now you have 14 apps that you have to update to reflect this change.  It’s a nightmare!

The good news is there’s a better way to grant one website safe, limited, and controlled access to another.  It’s called OAuth.  Think of it as a valet key.

Stay tuned.  Next week we’ll talk more about OAuth – what it is, how it works, the pluses and the minuses.

Get the latest security news in your inbox.