by Lisa Vaas
Facebook isn’t going to ask new users for their email password anymore, it said on Tuesday after a furious backlash.
A Twitter user called out the practice on Sunday, calling it “a HORRIBLE idea from an #infosec point of view.”
What Facebook called a “very small group of people” were getting prompted to enter the password for their personal email when they tried to verify new accounts, rather than the typical verification email or code sent to new users’ phones.
As The Daily Beast first reported, small print below the password field promised that “Facebook won’t store your password.”
You can certainly see why people might not have been reassured by that small text: passwords are supposed to be a secret you share with the service you create them for, and nobody else.
Besides which, Facebook has shown itself to be untrustworthy when handling passwords: one example is the passwords we use in two-factor authentication (2FA).
Another example is what Facebook admitted, a few weeks ago, are potentially hundreds of millions of places where it saved users’ passwords to disk in raw, unencrypted form.
Facebook dropped the request for email credentials like the hot potato it is, sending out this statement on Tuesday:
We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it.
Swear an OAuth
Facebook didn’t name a specific number of people who got the request for email logins, but it did clarify why they were singled out: namely, the alternative verification was originally designed for people signing up on a web browser and using email providers that don’t support OAuth, an open-source protocol that acts as a key for logins.
OAuth is commonly used as a way …
Author: Lisa Vaas