Home / Blogs

The Dangers of Asking for Social Network Passwords

Steven Bellovin

In the last year or so, there's been a lot of controversy about some employers demanding social network passwords from employees or applicants. There's even been a bill introduced in Congress to bar the practice. The focus has been the privacy violation implied by such demands: "the legislation could .. protect the privacy of citizens”; "the bill is a win for businesses, schools, and privacy”; etc. Even the author, Rep. Eliot Engel (D-NY), said "this is a matter of personal privacy”. All that is true, but they understate the problem; it's far worse than that, for a number of reasons.

The first issue is that a password gives the holder write access, not just read access, to the account. An employer may perceive some reason for wanting to see what's on someone's Facebook page; however, the password lets them change privacy settings, create new content, etc. This is particularly serious in adversarial settings like divorce cases, where one party may be trying to impeach the other's credibility and suitability as a parent. The judge in the that case did

try to limit the privacy invasiveness of his order by telling theparties not to prank each other.

"Neither party shall visit the website of the other's social network and post messages purporting to be the other," he included in the order.

I'm glad that Judge Shluger realized that aspect, but as I explain below, there are other ills.

The second issue is that people reuse passwords. Yes, the standard advice is to avoid doing so; most people don't follow that advice because they can't remember ℵ0 different passwords for their ℵ0 different web logins. This means that a social network password is often an email password, a bank account password, a work password, and more. Knowing someone's Facebook password probably gives you access to many other sites.

Even if passwords aren't directly reused, there's another problem: logins for social network sites are often used as credentials for other sites. Google is an official provider for NSTIC, the National Strategy for Trusted Identities in Cyberspace. Facebook is pushing its Facebook Connect service. Microsoft Live accounts can be used for access to some medical records. In other words, if you're logged in to one of these sites, you automatically have the credentials to reach many other sites, including some with very sensitive information. Facebook puts it this way:

Facebook helps you simplify and enhance user registration and sign-in by using Facebook as your login system. Users no longer need to fill in yet another registration form or remember another username and password to use your site. As long as the user is signed into Facebook, they are automatically signed into your site as well. Using Facebook for login provides you with all the information you need to create a social, personalized experience from the moment the user visits your site in their browser.

There are privacy issues there, too (Facebook knows everywhere else you visit), but there's a serious security problem if a Facebook password is ever disclosed to someone else: that person can also be "automatically signed into [the] site as well."

This is the crux of my concern: knowledge of a social network password lets you in to many other accounts, both directly and indirectly. I strongly suspect that few employers with such policies — more precisely, few of the executives who promulgated the policies at these companies — realize the danger. I also suspect that their attorneys do not realize the technical risks, either. However, it seems very likely that there are some people charged with executing the policies (especially folks in the IT department) who do understand it. There is thus a tremendous liability risk, one that few companies would willingly undertake: that corporate policies have exposed people to serious risks. Is this a chance worth taking?

By Steven Bellovin, Professor of Computer Science at Columbia University. More blog posts from Steven Bellovin can also be read here.

Related topics: Privacy, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Sponsored Topics