Home / Blogs

The Dangers of Asking for Social Network Passwords

Steven Bellovin

In the last year or so, there's been a lot of controversy about some employers demanding social network passwords from employees or applicants. There's even been a bill introduced in Congress to bar the practice. The focus has been the privacy violation implied by such demands: "the legislation could .. protect the privacy of citizens”; "the bill is a win for businesses, schools, and privacy”; etc. Even the author, Rep. Eliot Engel (D-NY), said "this is a matter of personal privacy”. All that is true, but they understate the problem; it's far worse than that, for a number of reasons.

The first issue is that a password gives the holder write access, not just read access, to the account. An employer may perceive some reason for wanting to see what's on someone's Facebook page; however, the password lets them change privacy settings, create new content, etc. This is particularly serious in adversarial settings like divorce cases, where one party may be trying to impeach the other's credibility and suitability as a parent. The judge in the that case did

try to limit the privacy invasiveness of his order by telling theparties not to prank each other.

"Neither party shall visit the website of the other's social network and post messages purporting to be the other," he included in the order.

I'm glad that Judge Shluger realized that aspect, but as I explain below, there are other ills.

The second issue is that people reuse passwords. Yes, the standard advice is to avoid doing so; most people don't follow that advice because they can't remember ℵ0 different passwords for their ℵ0 different web logins. This means that a social network password is often an email password, a bank account password, a work password, and more. Knowing someone's Facebook password probably gives you access to many other sites.

Even if passwords aren't directly reused, there's another problem: logins for social network sites are often used as credentials for other sites. Google is an official provider for NSTIC, the National Strategy for Trusted Identities in Cyberspace. Facebook is pushing its Facebook Connect service. Microsoft Live accounts can be used for access to some medical records. In other words, if you're logged in to one of these sites, you automatically have the credentials to reach many other sites, including some with very sensitive information. Facebook puts it this way:

Facebook helps you simplify and enhance user registration and sign-in by using Facebook as your login system. Users no longer need to fill in yet another registration form or remember another username and password to use your site. As long as the user is signed into Facebook, they are automatically signed into your site as well. Using Facebook for login provides you with all the information you need to create a social, personalized experience from the moment the user visits your site in their browser.

There are privacy issues there, too (Facebook knows everywhere else you visit), but there's a serious security problem if a Facebook password is ever disclosed to someone else: that person can also be "automatically signed into [the] site as well."

This is the crux of my concern: knowledge of a social network password lets you in to many other accounts, both directly and indirectly. I strongly suspect that few employers with such policies — more precisely, few of the executives who promulgated the policies at these companies — realize the danger. I also suspect that their attorneys do not realize the technical risks, either. However, it seems very likely that there are some people charged with executing the policies (especially folks in the IT department) who do understand it. There is thus a tremendous liability risk, one that few companies would willingly undertake: that corporate policies have exposed people to serious risks. Is this a chance worth taking?

By Steven Bellovin, Professor of Computer Science at Columbia University. More blog posts from Steven Bellovin can also be read here.

Related topics: Privacy, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

DDoS Attacks in the United Kingdom: 2012 Annual Trends and Impact Survey

7 Keys to Professional Services Value: A Client-Side Perspective

Neustar Launches Global Partner Program

MarkMonitor Named a Top Trusted Website in OTA's 2013 Online Trust Honor Roll

Neustar Chief Technology Officer Appointed to FCC's Technological Advisory Council

Hope is Not a Strategy: Neustar Releases 2012 Annual DDoS Attack and Impact Survey

How Neustar Technology Can Help Mitigate DDoS Attacks

Reducing the Risks of BYOD with Nominum's Security Solution

Neustar Launches Enterprise Professional Services Offerings

Nominum Releases New Security Intelligence Application

Sponsored Topics