Home / Blogs

The Dangers of Asking for Social Network Passwords

Steven Bellovin

In the last year or so, there's been a lot of controversy about some employers demanding social network passwords from employees or applicants. There's even been a bill introduced in Congress to bar the practice. The focus has been the privacy violation implied by such demands: "the legislation could .. protect the privacy of citizens”; "the bill is a win for businesses, schools, and privacy”; etc. Even the author, Rep. Eliot Engel (D-NY), said "this is a matter of personal privacy”. All that is true, but they understate the problem; it's far worse than that, for a number of reasons.

The first issue is that a password gives the holder write access, not just read access, to the account. An employer may perceive some reason for wanting to see what's on someone's Facebook page; however, the password lets them change privacy settings, create new content, etc. This is particularly serious in adversarial settings like divorce cases, where one party may be trying to impeach the other's credibility and suitability as a parent. The judge in the that case did

try to limit the privacy invasiveness of his order by telling theparties not to prank each other.

"Neither party shall visit the website of the other's social network and post messages purporting to be the other," he included in the order.

I'm glad that Judge Shluger realized that aspect, but as I explain below, there are other ills.

The second issue is that people reuse passwords. Yes, the standard advice is to avoid doing so; most people don't follow that advice because they can't remember ℵ0 different passwords for their ℵ0 different web logins. This means that a social network password is often an email password, a bank account password, a work password, and more. Knowing someone's Facebook password probably gives you access to many other sites.

Even if passwords aren't directly reused, there's another problem: logins for social network sites are often used as credentials for other sites. Google is an official provider for NSTIC, the National Strategy for Trusted Identities in Cyberspace. Facebook is pushing its Facebook Connect service. Microsoft Live accounts can be used for access to some medical records. In other words, if you're logged in to one of these sites, you automatically have the credentials to reach many other sites, including some with very sensitive information. Facebook puts it this way:

Facebook helps you simplify and enhance user registration and sign-in by using Facebook as your login system. Users no longer need to fill in yet another registration form or remember another username and password to use your site. As long as the user is signed into Facebook, they are automatically signed into your site as well. Using Facebook for login provides you with all the information you need to create a social, personalized experience from the moment the user visits your site in their browser.

There are privacy issues there, too (Facebook knows everywhere else you visit), but there's a serious security problem if a Facebook password is ever disclosed to someone else: that person can also be "automatically signed into [the] site as well."

This is the crux of my concern: knowledge of a social network password lets you in to many other accounts, both directly and indirectly. I strongly suspect that few employers with such policies — more precisely, few of the executives who promulgated the policies at these companies — realize the danger. I also suspect that their attorneys do not realize the technical risks, either. However, it seems very likely that there are some people charged with executing the policies (especially folks in the IT department) who do understand it. There is thus a tremendous liability risk, one that few companies would willingly undertake: that corporate policies have exposed people to serious risks. Is this a chance worth taking?

By Steven Bellovin, Professor of Computer Science at Columbia University. More blog posts from Steven Bellovin can also be read here.

Related topics: Privacy, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Verisign's Q2'15 DDoS Trends: DDoS for Bitcoin Increasingly Targets Financial Industry

Protect Your Network From BYOD Malware Threats With The Verisign DNS Firewall

Announcing Verisign IntelGraph: Unprecedented Context for Cybersecurity Intelligence

Introducing the Verisign DNS Firewall

Sponsored Topics

Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services