Login to accounts w/ Facebook/Google/Yahoo/OpenID

[Suspicious-Teach8788]

I'm wondering for commenting on sites like Engadget or The Verge, does it make sense to sign up for your own account? Or would it make sense to leverage Facebook or Google for your login? I'm asking from a security perspective because if it's yet another user registration, it's another chance for the account to get compromised.

So if your Google account is setup with a strong password + 2FA, would it make more sense to use that login? I suppose the immediate disadvantage I see is that everything is tied to your account, so your Google profile will define who you are online, and it'll be harder to troll 😀. There's also the concern that one day The Verge could be compromised and they could use your Google credentials to do things.

Edit: So I guess I'm talking about OAuth. I couldn't come up with the term at the moment of writing this post, but I guess I'm weighing the security risks of individual logins versus using OAuth.

 

[JEDIYoda]

are you Delerius or something??

 

[smakme7757]

If you use a different password for each login it doesn't matter. The problem with compromised accounts is that:
A: Your password might be leaked
B: Your email has most definately leaked
C: Secret question might be leaked
**************************
D: If it's a shop ,then your CC info.

So using a different password for each login mitigates the biggest threat. You could even consider using a seperate email for all your online logins. I do that. I have a separate email for forums, comment fields, one time purchases and so on. I also use a different password at each separate site.

I use my primary email for all my primary accounts like Twitter, Bank, Facebook, Origin, Steam, Amazon etc.

 

[oynaz]

There's also the concern that one day The Verge could be compromised and they could use your Google credentials to do things.

That is not how it works. When you use your Google (orFacebook/Twitter/etc) account to log in somewhere else, your Google credentials are not used on the other site. Instead, Google verifies that your credentials are OK, and sends a token (not sure if token is technically the right term) to the other site which accepts the token and logs you in.

 

[John Connor]

My solution is to use an add-on for Firefox and Palemoon called PWDHash. It is developed by a guy from Stanford University and it does three things:

A) Generates a unique password for each site with the same user input password.

B) Mitigates phishing attempts since the password generated is URL based.

C) Blocks key-loggers since the password is invisibly inputed behind the scenes.

Check it out.

https://www.pwdhash.com/

https://addons.mozilla.org/en-US/firefox/addon/pwdhash/?src=search

I just have one password for all my logins! LOL!

 

[PrincessFrosty]

To my knowledge the technology used for cross site authentication is strong, so the only security issues you have is really that if one account is compromised then they all are, that's obviously unavoidable though.

 

[Suspicious-Teach8788]

That is not how it works. When you use your Google (orFacebook/Twitter/etc) account to log in somewhere else, your Google credentials are not used on the other site. Instead, Google verifies that your credentials are OK, and sends a token (not sure if token is technically the right term) to the other site which accepts the token and logs you in.

Right but it's given permissions to do things, so if TheVerge gets hacked someday, they can abuse those permissions and do things. It's not so much your login credentials get stolen.

 

[PrincessFrosty]

Only if you agree to let another site or app use certain features of your profile, you can do basic auth with facebook without them knowing your username and password, but not need to give that site access to any of your facebook features.

It entirely depends on the 3rd party site and how they wish to use facebook, either way facebook tells you explicitly what the site is requesting of your profile, if they get hacked they would have that level of access to your account if you were logged in.

 

[alangrift]

My solution is to use an add-on for Firefox and Palemoon called PWDHash. It is developed by a guy from Stanford University and it does three things:

A) Generates a unique password for each site with the same user input password.

B) Mitigates phishing attempts since the password generated is URL based.

C) Blocks key-loggers since the password is invisibly inputed behind the scenes.

Check it out.

https://www.pwdhash.com/

https://addons.mozilla.org/en-US/firefox/addon/pwdhash/?src=search

I just have one password for all my logins! LOL!

But if that one password was compromised all of your accounts would be?

 

[John Connor]

No, one password generates unique passwords per site. You never see the password that is generated. It's all based on the URL.

One password, multiple sites. All passwords are unique.

 

[smakme7757]

But if that one password was compromised all of your accounts would be?

No, one password generates unique passwords per site. You never see the password that is generated. It's all based on the URL.

One password, multiple sites. All passwords are unique.

To elaborate on what John Connor wrote.

The password is generated from a single user defined password and the URL of the website.

For example

URL = anandtech.com
Personal Password = MySecret1986*

Then you add the two together to form a unique key:
Key = anandtech.comMySecret1986*

Then you take the key and run it through a hashing function. In this example i just used SHA1.

And we get this as an output, which would be our password:
String = e7d8b9dd33724d3210c6746e32eb81fb43ac6368

Each time you run anandtech.comMySecret1986* through the hashing function it will always return the same string as shown above. If you change a single character or add a character the string will be different. It's the string that you use as your website password.

Of course you don't want people to know your secret password.