I get it. People hate passwords. They are too hard to remember, and you have to come up with a unique one for every site. That’s BS.
A number of internet giants got together a few years ago to come up with OAuth, and now OAUth2. It’s a spec that allows you to use one of your social media passwords to login to other sites.
I’m sure you’ve used this service before. But I want you to stop using this service – it’s a really bad idea when it comes to security. Here’s why
1 – Easy to Spoof
It is trivial for a malicious website owner to build a window that looks like an authentic Facebook/Google login screen. Just put up a few graphical buttons, logos and the form fields to capture your credentials. You type your username and password into what you think is a Facebook login, but you’ve just given them to the bad guys. The bad guys can subsequently put up a fake timeout error screen to make it seem like Facebook is offline at the moment.
Mitigation: Only use your social media passwords on well-known sites that you can trust. Never use it on a site you’ve never heard of or that looks fishy. Also, use 2-factor authentication on Google and Facebook.
2 – What if your Password is Compromised?
Do you know anyone who has had their email or Facebook account hacked? It can be an inconvenience to say the least. Hackers can really screw up a Facebook account if they get your password.
If you use your social media password on other sites and somebody figures out your password, an enterprising criminal might go looking for other accounts of yours to ruin. Double or triple the fun!
This is the same problem as reusing your password on other sites that Google and Facebook warn you about!!!
Mitigation: Only use your social media passwords on sites that have no other personal information and no important data stored.
3 – What if Google or Facebook are Compromised?
This is a corollary to #2. You could have a 32-character gibberish GOAL password that nobody in the world could guess. But what happens when (not if) someone breaks into the passwords at Google or Facebook? Think it can’t happen? It already happened to Linked In.
Google and Facebook are excellent at security, and there’s not much you personally can do to prevent an attack like this from occurring. So the risk here is low.
4 – Easy Tracking!
Do you think Google is going to sit back and not monitor your activity on that new site? Don’t you think that Facebook is tracking your activity and making it easier for that new site (or others) to know what you clicked on, what you liked? These companies didn’t implement OAuth out of the goodness of their hearts. They have something to gain, and that something is your behavior!
Mitigation: Don’t do it!
A Better Solution
The better way to solving the ballooning password problem is to use a password manager like Dash or Lastpass. You choose one really super-strong, uncrackable password for your password manager, and then the password manager remembers all the rest. You can create 1000 different logins all with unique and impossible passwords.