Should Facebook be your internet passport?

[Jeber]

The Registration plugin allows users to easily sign up for your website with their Facebook account. The plugin is a simple iframe that you can drop into your page. When logged into Facebook, users see a form that is pre-filled with their Facebook information where appropriate.

https://developers.facebook.com/docs..&...;/registration/Many sites are incorporating a plug-in that allows you to register using your Facebook account. Essentially the intent is to make your Facebook identity work as a passport to the web. One username, one password, web-wide access.This is a dubious development in the eyes of security professionals. Having a single point of validation to your online identity is like having a single key that unlocks and starts your car and opens your house doors. If you lose that one key someone can gain access to nearly everything you own and try to keep secure.Yet it can't be denied that people are becoming overwhelmed with login credentials. Just off the top of my head I can think of one credit union, 3 forums, 2 blogs and numerous websites that I regularly log into, each with its own requirements for a username and for which I have unique passwords. I do use a password manager that requires its own username and unique master password, but should that become compromised again all my info is at risk. It has become a single point of (potential) failure.So what's your opinion of this growing move to make a Facebook account your single login for nearly every site on the web? Will it make our online life easier and less complicated or will it become a major target for spammers, scammers and crooks? Do you use your Facebook account to log onto sites that allow it? Do you think it's a good or bad idea?I side with the security specialists. As cumbersome as it is, having unique identities for each site gives me greater control over what information each site has access to as well as greater peace of mind when I read about yet another site's database being compromised and user credentials being exposed. Having said that, I am considering installing the plugin on at least one of my blogs as an option for those who prefer to use it. But I'm not entirely convinced it's a good move.

[Guest LilBambi]

Hi Jeber,Great question. I personally would never use another login to sign into any other site, particularly Facebook, even if I was on Facebook.For security reasons, it is strongly advisable to create a login for a specific site, with a good safe strong password, and never mix them up or share the same password between sites. No two sites should have the same password for security reasons...ever.

[zlim]

No Facebook here. I do not want to be forced to open a Facebook account because the majority of websites think I need to.

[Guest LilBambi]

Too many sites are getting lazy like that. Really irritating.

[Tushman]

Hi Jeber,Great question. I personally would never use another login to sign into any other site, particularly Facebook, even if I was on Facebook.For security reasons, it is strongly advisable to create a login for a specific site, with a good safe strong password, and never mix them up or share the same password between sites. No two sites should have the same password for security reasons...ever.

I whole heartedly agree with that. It's amazing to me how so many kids these days think NOTHING of logging in with their Facebook information like that. People have absolutely no clue what is at risk by doing so. It certainly seems like a growing trend for various websites to try & be "facebook" friendly by offering their visitors to log in with their Face"ACHE" ID. I don't want to say it's criminal but it's downright lazy and caters to the lowest common denominator.As far as Face-ACHE is concerned, I have no use for them. They can KMSAS. I have an account that I created a few years ago but only for the sake of keeping in touch with a couple of friends. If it were to blow up tomorrow and be gone from the internet tomorrow, I wouldn't give a rats patooty.

[Corrine]

Apologies for the OT. This was posted at another forum I belong to and led to quite a discussion regarding Facebook:

When I bought my Blackberry, I thought about the 30-year business I ran with 1800 employees, all without a cell phone that plays music, takes videos, pictures and communicates with Facebook and Twitter. I signed up under duress for Twitter and Facebook, so my seven kids, their spouses, 13 grandkids and 2 great grand kids could communicate with me in the modern way. I figured I could handle something as simple as Twitter with only 140 characters of space. That was before one of my grandkids hooked me up for Tweeter, Tweetree, Twhirl, Twitterfon, Tweetie and Twittererific Tweetdeck, Twitpix and something that sends every message to my cell phone and every other program within the texting world. My phone was beeping every three minutes with the details of everything except the bowel movements of the entire next generation. I am not ready to live like this. I keep my cell phone in the garage in my golf bag. The kids bought me a GPS for my last birthday because they say I get lost every now and then going over to the grocery store or library. I keep that in a box under my tool bench with the Blue tooth [it's red] phone I am supposed to use when I drive. I wore it once and was standing in line at Barnes and Noble talking to my wife and everyone in the nearest 50 yards was glaring at me. I had to take my hearing aid out to use it, and I got a little loud. I mean the GPS looked pretty smart on my dash board, but the lady inside that gadget was the most annoying, rudest person I had run into in a long time. Every 10 minutes, she would sarcastically say, "Re-calc-u-lating." You would think that she could be nicer. It was like she could barely tolerate me. She would let go with a deep sigh and then tell me to make a U-turn at the next light. Then if I made a right turn instead. Well, it was not a good relationship. When I get really lost now, I call my wife and tell her the name of the cross streets and while she is starting to develop the same tone as Gypsy, the GPS lady, at least she loves me. To be perfectly frank, I am still trying to learn how to use the cordless phones in our house. We have had them for 4 years, but I still haven't figured out how I can lose three phones all at once and have run around digging under chair cushions and checking bathrooms and the dirty laundry baskets when the phone rings. The world is just getting too complex for me. They even mess me up every time I go to the grocery store. You would think they could settle on something themselves but this sudden "Paper or Plastic?" every time I check out just knocks me for a loop. I bought some of those cloth reusable bags to avoid looking confused, but I never remember to take them in with me. Now I toss it back to them. When they ask me, "Paper or Plastic?" I just say, "Doesn't matter to me. I am bi-sacksual." Then it's their turn to stare at me with a blank look. I was recently asked if I tweet. I answered, No, but I do toot a lot."

Back to the password issue, although I use Facebook, I would not want to use it as a common logon account for another site. I have a lot of family and friends who live out of town and Facebook is an easy medium for my daughter to share pictures, etc. not only with us but also with her husband's very large family. FB has also provided a simple medium for staying in contact with people I used to work with as well as reconnecting with a number of old friends. That said, I have fairly tight privacy settings on Facebook mainly because of the data mining and the way others really don't seem to care what is shared to apps with the games they play. I've been presented with the opportunity to use G-mail for logon credentials and recall there are a couple of apps that are accepted by multiple "venues". I may be Corrine at most sites but each site has a unique password and most certainly do not want to use my Facebook account to log on to any other site..

[Guest LilBambi]

:' /> Great piece Corrine! No apologies necessary, great read. I totally agree regarding Facebook, even when I did have a Facebook account (which has long since been deactivated and ultimately deleted), I would never have used it as a common login, or as even a single login to another site.It's just not a wise move to do.Do you use the same password for every website? by Graham Cluley at Sophos

Very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit. With social networking and other internet accounts now even more popular, there's plenty on offer for hackers and by using the same password to access Facebook, Amazon and your online bank account, you're making it much easier for them.Once one password has been compromised, it's only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain.

And that's just a small piece of the article. Well worth a read.I am sure that our own Aryeh, or one of his compatriots at ESET have also written some articles about this over time.

[Corrine]

Do you use the same password for every website? by Graham Cluley at SophosAnd that's just a small piece of the article. Well worth a read.

All of Graham Cluley's articles are well worth a read.

I am sure that our own Aryeh, or one of his compatriots at ESET have also written some articles about this over time.

David Harley certainly must have. His articles show up all over the place. It seems like that man blogs 24/7. Like Aryeh, he's an ESET Senior Research Fellow.

[Tushman]

I have a lot of family and friends who live out of town and Facebook is an easy medium for my daughter to share pictures, etc. not only with us but also with her husband's very large family. FB has also provided a simple medium for staying in contact with people I used to work with as well as reconnecting with a number of old friends.

We've had discussions on this forum about the benefits of using Facebook & Twitter. I have a Facebook account but I don't particularly find it useful or even enjoyable to use. What in the world did we do as a society before sites like Facebook & Google became popular? That's right - we did it the old fashion way. Whether it was picking up the phone to say hello to grandma & grandpa or sending an actual photograph to a family member, people STILL FOUND OTHER ways to communicate. I will concede that Facebook seems to have found the corner market for easy medium/access for staying in touch with family members or loved ones. The reasons for their success are many I suppose. My beef with with Face-ACHE is their seemingly careless attitude for privacy. They've done a lot in recent past to address the concerns of their users who've complained about the lack of it, but they sure did a piss poor job in the very beginning. I will give credit to them for stepping up their game and providing more security controls. But how much more harder would have it been if they had kept data privacy a top priority from the get go? Probably not much more effort. Certainly would not have outweighed the peace of mind and security that it would afforded their users.In terms of people using their facebook password for all website is just downright laziness. People don't want a 100 passwords to remember - that I can understand. But there are ways to manage passwords either by using 3rd party apps or a good decent browser like Firefox that can remember passwords for you. Aactually, most if not ALL modern browsers today come with a password manager so in my mind, there is no legitimate excuse to use one generic password for all websites.

[Corrine]

This needs to be repeated:

there is no legitimate excuse to use one generic password for all websites

[Guest LilBambi]

Precisely!No excuse at all.Strong/Secure Password GeneratorsSecure Password Generator (PCTools)Strong Password GeneratorMore out there...Or get a Password Keeper program which also helps generate strong/secure passwords and save them for you:KeyPass Password Safe Downloads page has it for Windows/Mac/Linux and a wide range of devices including Android, Blackberry, PalmOS, J2ME.As well as many for Windows (like RoboForm), Mac/Windows and iOS/Android like (1Password). Many others out there. These are just a few.Always make backups of the database and/or burn to disk or flash drive so you never lose the data.There really is no excuse to use the same password for every site or have to remember a long, strong/secure password ever again. And most of these generators/keepers programs have a way to have a master key to even keep the database safe.

[Tushman]

Precisely!No excuse at all.Strong/Secure Password GeneratorsSecure Password Generator (PCTools)Strong Password GeneratorMore out there...

Thanks for those links. About a month ago, I ran across a website (one of Microsoft's employees) who gave a good tip for coming up with strong passwords that are easy to remember. May have been someone's blog - can't quite remember. She said instead of using common words found in the dictionary, try the following that's much tougher to crack.If your son's favorite hobby is train models for example, usemsfhibtmIt's the first letter of each word in the sentence:My son's favorite hobby is building train models.You can use variations on this theme using a little bit of creativity (i.e. add numbers or special characters, etc.)

[Guest LilBambi]

Great idea! Still will need a place to keep the passwords.And thinking of passwords reminds me that we are not immortal. Should have a place known to your spouse, or in one's will that has the location of the master password so the rest can be used by those who may need them to get to banks, credit cards, let folks know on sites they frequent (like the forums, etc.

[V.T. Eric Layton]

Should Facebook be your internet passport?

Man! I hope not. I don't participate in Facebook, nor do I plan on it. It's bad enough that Google is taking over the world. I'll have to pass on FB.

[Peachy]

But isn't this the same ideas as OpenID? In principle I support OpenID as a standard for authentication. If a web site supports OpenID than it is possible to use Facebook, Flickr, Yahoo, MSN, or any other OpenID consumer to authenticate you.The mechanism works like this: Website A allows you to use an OpenID to authenticate to their site. User enters their OpenID (Facebook, Flickr, Yahoo, OpenID) username and then is re-directed to Website B (Facebook, Flickr, Yahoo, or OpenID) where they log in and is then automatically re-directed to Website A where they can then proceed into the site. In the background, Website B tells Website A it can trust this user. Benefit: Website A does not store any login information about you. You already trust Website B because you use it.Also, if you don't feel this is a secure idea (I can't really see any flaw in it) you can strengthen it with a security token. In my case I own a YubiKey in conjunction with my OpenID. In this case I use Yubico.com as my OpenID provider. I can't be compromised online because I need the Yubikey to complete the authentication. Sure, if I lose the Yubikey I'm screwed, but I just buy a new one and reset my OpenID to use this key.

[Guest LilBambi]

Actually, if you think about it, OpenID is not at all the same as using Facebook login for other websites. Your own computer's security and your own security through your own memory issues are about the only concerns or maybe some timing issues.But it has nothing to do with who your friends are, or what games they maybe involved with, or who their friends, or how lax their security is are on a security issue ridden web 2.0 website.I respectfully suggest these two are totally different.

[ChipDoc]

I have a solution which works well in almost all cases: http://bugmenot.com/Now if I actually wish to join and participate, I create my own login. But in most cases, using a generic one from BugMeNot works fine. If they REALLY want to get me, they can trace my IP address in any case.