It is becoming more common that when you have just found a website you are interested in, you are prompted to login to gain full access to information and functions available through the website. A box pops up asking you to login like:
Click on the Sign in with Facebook or Sign in with Google
Click on the Create an Account
0voters
Clicking on Sign in with Facebook or Sign in with Google can seem the easy option as it saves time creating a new account and having to enter personal information create a username and passwords etc…but…are there risks? This website has some of the known pros and cons of different options.
What do you usually do? Are your concerned with the option you accepted…or the one you chose not to accept? Let us know your thoughts.
I do tend to sign in with Google account. Not Facebook.
If it is a web site I have no intention of frequenting, I just leave.
But my Google account leads nobody to anything that I would not want web sites to know about me, apart from Gmail email address which I don’t use, and maybe some Google search history and YouTube views.
To be honest it depends what the app is for - if it’s a shopping app and I’m likely to provide credit card details i will always create my own account
Otherwise i don’t mind how i access the app
On the plus side, I would trust Google to maintain the security of my userid and login far more than lots of Web sites on the Internet. Those Web sites that I sign onto using my Google userid do not have any knowledge of that userid and password.
On the minus side, the Web site gets access to information about me that Google will share.
I do not use the facebook or google quick link to access any site. For my ‘trusted’ site eg my Banks I use my real email address and a unique password. For the larger amount of ‘untrusted’ sites I use disposable email addresses and unique passwords. Some disposable addresses have been compromised and they get ditched, if I need to use the site in the future it is always with a new disposable address.
It isn’t perfect as an answer but it allows me to track when many of my logins may have been compromised.
I also don’t use the option for using Google or Facebook to login. On occasions, it would have been tempting with some of the information and time required to set up an new account, but, like others I don’t trust sharing potentially information with Google of Facebook as neither are likely to be looking after my interests.
This has resulted in almost 190 unique logins over the years. Such a number is impossible to manage without a good password manager.
And then, one day, your password manager will throw a wobbly. And then you will be helpless, since you will have no idea what the passwords are for any of those sites you have individual accounts for.
I think the OAuth Internet protocol is a better way to go. Combine that with 2FA on your trusted credentials holder, say Google, and it seems a much better way of handling lots of sites.
And very many sites these days want you to register, if only to ‘give you a better personalized experience’.
But keep sites you need to protect separately, like banking, separate.
Most websites have forgotten password functions which allow one to recreate their password manger, should the password manager data be stored locally and is corrupted or one forgets the master password for the manager. Inconvenient yes, disastrous no.
The other point I forgot to mention in my earlier post is if one doesn’t use two step verification for Google, Facebook etc, there is a very high risk of your password for these platforms being phished. With two step verification it becomes harder. As more and more sites require login to access content, the risks of going to a website specifically designed to harvest login data increase (do you really know the login for a new website is genuine). If Google, Facebook etc login information is phished, it can allow hackers access to every website where the login has been used. Creating unique logins avoids risks of phishing in such cases.
It is also worth noting that there have been data breaches at Facebook and Google. While the security on their platforms are considered at the leading edge, they are not immune to security breaches.
This website contains a contrasting view to that of AVG above…
There possibly isn’t a perfect solution as any login option has risks. Thinking one is better than the other might lead to a false sense of security. Knowing and accepting the risks, and also adopting measures to minimise risks is important to keep online activity more secure as more and more websites require an account/login created to access content.
Decisions about passwords are about security vs. convenience. We all love convenience, but sometimes security is the better option.
The other issue is ‘what I know’ vs. ‘what I have’. Passwords are the former, while most two factor authentication currently uses the latter as the second factor.
There are also password-free options beyond what Google and Microsoft are working towards.
I keep two password managers, one has cloud based retention (Lastpass) and the other is on disk (Keepass 2.51.1). Both databases are kept up to date. Failure of one does not mean loss of access.
My password manager is a small address book (hard copy not virtual) where under the appropriate letter, eg. A for Apple; M for Microsoft; F for Facebook etc I write down the company name and then a password – but in code. I use numbers and words/places/names which have specific meanings for me. e.g. " W’s birth yr. (2 digit)" – Only I know who I mean by W and when their birth year was.
Or – 'Holiday home’s town, digit subst, all LC - means the town where we have a holiday home, with the letters I or O substituted with a digit (if they occur) and all the letters are lower case, or it might be LL UC (last letter Upper Case). The only thing I have to worry about is losing the damn thing but so far we’re close to 2 decades in and so far so good.
same here. I use disposable email addresses and load them into lastpass. Spamex is a good site to buy a bundle of email addresses. And you have the ability to go to the Spamex site and turn off that address. If you want to you can also find out where your email gets given to by altering you gmail address. So if you are johnsmoth@gmail.com and you want to use a new site called bananas, you can give the site and address that includes that site such as john.bananas.smoth@gmail.com. you still get the email because you own johnsmoth. You can even do john.bananas.ford.service.free.stuff.smoth@gmail and you will still get the email.
Well I’ve used 1Password for several years and it hasn’t failed. However, it is becoming somewhat more convoluted to use as the need for tighter security becomes more important. But it does beat the 4 sheets of A4 I kept, carted around with me and constantly had to update. But I suppose the day could come when 1Password (or any password manager for that matter) is hacked. Presumably their security systems are tight, or the legal claims from thousands of subscribers would be horrendous.
Possible, absolutely. Likely, not really - although it depends to some extent on how the password manager implements its cryptography.
The important thing about decent password managers is that they have one task they have to get right, and the good ones are focussed on that. This is why the better companies do not even have your master password - it could be decrypted. Instead they keep a ‘hash’, based upon the password plus a random nonce (the latter means that if you use the same password as someone else, the hash will still be different). So your password ABCDEF is hashed together with a randomly generated nonce 05f3bc to produce what the company stores in its database as - say - Q2ef7-5Bk93dkk5l1. When you log in, you type ABCDEF. The password manager (or any website with decent security) then adds the nonce it used originally to produce a hash that should match what is in the company database.
As long as the password manager designer/s knew what they were doing, their software should protect your passwords even if someone finds a flaw in it - as long as that flaw is not in the implementation of encryption. Of course, they do not protect against human error such as falling prey to a phishing attack or installing malware on your device.
t’is but a mere idealist concept from times long gone …