How safe and secure are social logins?
by Sarah Brown
More than 60% of Americans use social media platforms. Given their growing popularity, many websites now offer the option to sign in using social credentials instead of a username and password.
No more filling out endless signup forms just to make an online purchase? No more scrambling to remember which email address, username, and password combination you used?
It almost sounds too good to be true.
Turns out that may be the case. Social logins seem like an easy way to handle an ever-growing number of accounts, but could they cause more harm than good?
In theory, only having one password to sign you in anywhere seems great. It means there’s no chance of forgetting the credentials for your bank account, or which username and password to use to order more cereal on Amazon.
Unfortunately, password reuse makes you more vulnerable to data breaches. It only takes one breach to expose your information, giving hackers the keys to every account you’ve used that password for. And if you use the same password for your social media account, anyone with your password can access every account protected by your social login.
Something that was so simple to use could potentially turn into a nightmare that’s almost impossible to stop.
Facebook, Twitter, LinkedIn, Google. Between them, these four Internet giants have millions of users. Which means they have a lot to lose in the event of a password breach or hack and they take the necessary steps to protect against it.
However, that doesn’t mean that the website you sign in to with your social account has the same level of protection in place. With access to so much of your personal data, there's a lot at stake in the event of a hack or data breach.
Signing in to a website with your social credentials gives you full access, but social logins can be a two-way street. When you sign up and sign in using your social media accounts, you could be granting that site permission to access everything that’s stored in your social profiles. This can include all your interests, relationships, friends, locations, and even media preferences.
So, if I used Facebook to sign in to Pinterest and Pinterest was hacked, the hackers would have access to my boards full of crochet projects and ridiculous food ideas I’ll never make. But they could also end up with access to my entire list of friends, location data, and even personal identifying information like my phone number, birthdate, and family members’ names.
Having all that information leaves me vulnerable to further hacking and social engineering, with the potential to expose even more of my data.
For most websites, after you’ve created a username and password, you can edit your information as needed. Which means if you ever retire an email account, you can replace the original address with a new one to ensure that you won’t ever get locked out.
Unfortunately, this isn’t as simple if you created your account with a social login. When I first used Spotify, I was impatient and just wanted to get started without having to fill out a bunch of information and wait for a confirmation email. So I clicked the “Login with Facebook” option and minutes later I was dancing around my room to an awesome ‘90s mix.
Pretty awesome, right?
It was at first, but now, a few years later, I’ve started to think about closing my Facebook account. Only problem? My Spotify account. It turns out that if you created your account using a Facebook login, it’s not possible to disconnect the two. Which means if I shut down Facebook, I lose access to my Spotify account and would have to start over from scratch. I’d not only have to recreate a staggering number of playlists, but I’d lose all my recommendations, access to friend’s playlists, and my podcast history.
I mentioned earlier that Facebook, Twitter, LinkedIn, and Google all have large user bases, so it doesn’t seem likely that the big social networks would ever shut down. Especially given how entwined Facebook and Twitter have become with the Internet at large. However, Google recently announced that they would be shutting down Google+ sometime in 2019 due to a data breach.
So what happens to any websites or services you signed up for using your Google+ account? As of now, while Google has explored what will change going forward, they haven’t laid out how this shutdown will impact people who use Google+ to sign in to various websites. All we can do is speculate, but there’s a good chance they'll have to create new accounts for websites that don't allow you to edit or change your sign-in information.
The best defense you have against password breaches and other attacks is to use complex and unique passwords for every site you visit. And yes, I know how hard it is to remember a different password for every single account, so that’s where a secure password manager like 1Password can help.
Not only will 1Password safely and securely store your passwords for you, but it will also allow you to generate strong, unique passwords when you need them! You’ll even be able to update and change your login information whenever needed, without being tied to a single social media account.
And as an added bonus? 1Password has never been hacked, so you know your information will stay safe and confidential, away from the prying eyes and grabby hands of identity thieves.