Facebook Asks New Users for Password to Email Account

John Lister's picture

Facebook has asked some new users to provide passwords for their email accounts. It's provoked fury among critics who say it goes against basic rules of online security.

Often when a user signs up for an online service they provide an email address as a form of identification. The service will normally check the address is genuine by sending a code or a link in an email to the address, thus proving the user does indeed "own" that address.

However, some people signing up to Facebook have instead been seeing a screen that offers to confirm the email address automatically. The screen includes a box into which the user types their email password, which Facebook then uses to verify the address is correct. It appears Facebook does so by logging in to the user's email account through an automated process.

It's a spectacularly bad move on Facebook's part: as security consultant Jake Williams told the Daily Beast, it is "beyond sketchy." That's for several reasons. (Source: thedailybeast.com)

Move Undermines Basic Safety

Firstly, there's no valid reason why Facebook should ever have access to a user's email password or account.

While some sites do let people use their social media accounts (including, ironically, Facebook) as an alternative way to show identity, this always works by redirecting the user to the social media account. The site they are signing up to doesn't access their login details.

Secondly, there's a serious danger that Facebook doing this could "normalize" the idea of handing over an email address and password to a third party - something that's particularly risky among less experienced computer users.

Once a scammer accesses an email account (for example), it becomes far easier to access other online accounts from the same user. This is especially true in the case of requesting a password reset on another site, which may be linked to a compromised account.

Finally, it raises the risk of a phishing attack. If it became established that Facebook asks for an email password, scammers would be much more likely to pull off similar attacks where they create a bogus page that looks like Facebook and asks for the password.

Facebook Abandons Policy

Confronted with the criticism, Facebook said it only used the method in a few cases, mainly with less reputable email services.

It added that it did not store the password after checking the email account. It also said users could choose other methods of verification such as an email link or a code sent by SMS, though these only appeared if the user spotted a button marked "Need help?"

Fortunately Facebook has now scrapped the policy altogether, saying "We understand the password verification option isn't the best way to go about this, so we are going to stop offering it." (Source: gizmodo.co.uk)

What's Your Opinion?

Would you provide your email password if Facebook asked for it? Was this a bad example for Facebook to be setting? Are you surprised Facebook would use such a method?

Rate this article: 
Average: 5 (9 votes)

Comments

Dennis Faas's picture

Whoever thought this one up is an idiot. There are so many ways to verify that you own an email account - one of them being to click on an 'activation link' as mentioned in this article. Facebook should never, ever need your email account and password for that account. That would have opened up major privacy issues, let alone create a new era in ways to scam users through phishing attacks.

kitekrazy's picture

It's sad that there is never a shortage of stupid in the tech field.

Jim's picture

Didn't they used to ask for your email password so they could access your contacts, so they could add them to your "People You May Know" list? Or was that only on mobile phones? I never use FB on my phone, only on my Windows computer, so I don't know for sure, but I seem to recall something along those lines.

lgwhitlock_3287's picture

Facebook is not the only service to request an email password. I also have seen this with LinkedIn. Their stated purpose was to access your contacts to add more connections. I refused. All services should not request this. There are other ways to get access that does not require your password.

davolente_10330's picture

The ultimate answer to Facebook and other similar so-called "social networks" is not to use them at all and avoid being turned into a zombie! I have no enthusiasm for them in the slightest. An invention of the devil! Seems most folk on these sites are obsessed with posting the tiniest details of their life to the whole wide world, which no sane person would have the slightest interest in. I was trying to have a quiet meal out not so long ago and virtually all the loud idiotic members of a family near my table were photographing their food and obviously posting as they were eating. What crass bad manners and ignorance. Keep away, I say and maintain a brain!

bobbyvn's picture

I agree with davolente_10330 entirely! I have a Facebook account but use it to access posts from my adult children and grandchild. With two exceptions, I have not "friended" anyone outside my immediate family. My observation - what a total waste of time.

I am not interested in what "friends" have had for breakfast or dinner. Nor am I interested in the insignificant details they have experienced at work or school. If something significant has occurred, they can email or text or - heaven forbid, use the phone.

Maybe I will be accused of being Luddite, but IMO, Facebook is a total "suck me in to the abyss" activity.