|
|
|
|
|
|
by mkjones
5002 days ago
|
|
|
1. What's irrelevant about having robust and constantly-evolving phishing detection, and optimized flows for getting people back into their accounts? Both of these are important in a high-quality login system IMO. 2. You're right that a lot of folks fail to even try for security, but I disagree that outsourcing password management to facebook won't help them. If they get popped and have no passwords, all that leaks is the information specific to their site. If they get popped and have passwords, then in addition all those users' passwords (which they likely share with other sites) are now in the open. The damage has spread beyond the one clowny site and screwed over those users' experiences on wherever they shared passwords. We actually invest a fair amount of time in automated systems that look for leaked password dumps from such sites and help clean up users whose leaked passwords match their Facebook ones. Also, even in cases where people did things more-right, it's still incredibly damaging. Look at LinkedIn (who was hashed but not salted) or Gawker (who was hashed and salted, albeit poorly). 3. I guess I didn't convey this very well, but my point was that building your own login system is difficult. Getting everything right to ensure it's secure is actually pretty difficult, and requires constant attention if you're under any kind of targeted attack. As for making fake Facebook accounts... please don't do that. You'll just open yourself to a bunch of headaches, as we're pretty aggressive with removing fake accounts from the site. |
|
|
1. If you are small people won't be using your brand as the bait in anything other than spear-phishing when your phishing detection won't work. Emails and password resets are pretty easy. If you need it twilio makes SMS resets pretty easy too but in most cases that is probably overkill.
2. There probably is some benefit here.
3. There are fairly simple and clear best practices that are reasonable for most sites. Most people aren't under targeted attack although they should put a reasonable amount of effort into a reasonable defensive system.
Facebook integration (or other 3rd party login) also brings additional risks as they become a potential attack vector. This may seem unlikely unless you consider the possibility of staff, contractors or app developers finding a way in.