[goldpizza44]

sounds like he was simulating openid-connect flows by saying "login with Google" or "login with Facebook" and then storing the credentials entered which would be cleartext.

I always suspicious of these flows for specifically this reason. The flows are secure as long as you know you are talking to the correct identity provider, but I think most laymen would not understand that concept.

[kevincox]

This is why using a password manager with browser integration is critical. If the password doesn't auto-fill something is wrong.

[WolfeReader]

Gotta be careful with that too. If your password manager offers to auto-fill on the base domain - for example, *.google.com, it would be fooled by any phishing site hosted on google sites or google forms.

[marshmellman]

Wow, that seems like a huge security risk for Google that people can create phishing sites on their auth domain. I don’t think Google Forms allows login forms, but I’m surprised Google Sites would offer hosting on the primary Google domain.

[tomr75]

or use a passkey