Signing in to a site with Facebook or other single sign-in (SSO) providers

edited September 2014 in Lounge

I just have a general question about security. First, I appreciate the common advice to not use the same password for multiple web sites. That is one reason I am using 1Password 4 on my Mac Book Pro. Yet, more and more websites seem to offer the alternative of using Facebook to login to their sites instead of creating a new login credentials for their website. This is tempting, but if I use my Facebook credentials for all of these sites isn't this the same as using the same password over and over again?


  • Sort of, yes, but less risky. The problem with password reuse is that you can only ever be a strong as the weakest website. By using single sign-on portals like FB or Google you are effectively putting yourself at risk should someone break one of those services. Of course, the chances of someone breaking those services is smaller because they're putting more time and effort into security than any small site would. That's not to say that there's no risk, because there is. The overall safest option is, in my opinion, still individual site logins. However there is the possibility that a weak site cracked may leak data about you where had you been using a portal login that crack would not have occurred.

  • Thank you, Richard. I think I will try to use unique passwords. No doubt FB and Google are safe, but I would imagine they are attractive to hackers seeking their 15 minutes of fame.

  • You get most of the best of both worlds. Many sites you (or at least I) use have little personal information on me (forums, newspapers and the like). You could use a split strategy of using FB, Google et al. to handle your low priority logins and then use individual logins for commercial sites that take personal and/or financial information

    That said, one other thing is that by using the common portal login systems, the portal provider may be able to link your usage of various sites. Most of the time I doubt you'll care, but something to consider.

  • chrisdjchrisdj AgileBits Support

    Team Member

    I have to agree with @RichardPayne‌ that a strong, unique password is essential for each site. Let's take a bad scenario on the inverse, where somehow Facebook gets broken into. If you are using their single sign-on, there's a big problem with a lot of websites, at least until you can change your password again for Facebook (and they;d have to patch the exploit first).

    It's an unlikely scenario, but I may just be a little paranoid. :)

  • I never use "log in with Facebook" for anything. A lot of those sites what access to info that I have on Facebook and I just don't feel comfortable. I like having individual logins for everything. I even have a few email allies for certain things. For my very important things I have one email address, for forums I use another, and then extras for other things. I even use one just form friends and families also (different domain also).

  • chrisdjchrisdj AgileBits Support

    Team Member

    Hi @prime‌,

    That’s a great way to do it. Keep up with the secure habit. :)

  • khadkhad Social Choreographer

    Team Member

    I just saw this here and thought I'd add a bit to the great info already shared above.

    If you were using "Log in with Facebook" on a site where there was a password breach you would not need to change your password. The way that single sign-on (SSO) systems work, the site would not be storing your Facebook password in any form whatsoever.

    However, SSO systems can work in a variety of ways. The way that Facebook's works is reasonably secure (as long as Facebook doesn't get breached), but it is also a privacy decision. By using Facebook's SSO, you are telling Facebook every time you log on to every other site you use with Facebook's SSO. Some people may not be comfortable with that.

    In contrast, with 1Password, we are not in a position to even gather such information. We can't know what you log into when. We really know nothing about your use of 1Password, and this is deeply part of the design.

    This again highlights the contrast between 1Password and SSOs. If Facebook turned evil, they could do a lot of damage. They could log you into any site or service with that "Log in with Facebook" system whether you want to be or not. They could lock you out of things. With 1Password, even if we were to turn evil, there is actually very little damage we could do because you control your data, and once you have purchased 1Password, AgileBits is not "involved" in any of your use of your data that you store within your copy of 1Password.

    Now you don't have to actually be concerned about anyone "turning evil" for that distinction to matter. If someone has the capacity to do damage, they can do it by accident. If someone does not have the capacity to do damage, then they couldn't do it even by accident.

    This is part of the "principle of least authority". Systems should be designed so that they have no more authority than needed to perform their function. With (most) SSOs you are ceding enormous authority regarding your logins to a single third party. With 1Password you are not.

  • Excellent and really helpful post @khad‌: much appreciated and many thanks.


  • khadkhad Social Choreographer

    Team Member

    Always happy to help! Thank you for your steady stream of great posts here yourself. :)

This discussion has been closed.