Blog Data Security

Giving Away Your Passwords

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a...
Rob Sobers
1 min read
Last updated October 21, 2021

Contents

    You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a little.

    Unfortunately, the House voted down an amendment that would prevent employers from making this ludicrous request.  After reading the rebuttal, I’m hopeful that this legislation will make its way through in some form or another.

    Thankfully, humans asking for your social media passwords during job interviews is a rare practice.

    On the other hand, websites asking for your account passwords isn’t.  We call this the Password Anti-Pattern.   When a third-party website asks you to input your username and password to another service, like Facebook or Twitter, run for the hills!

    Password Anti-Pattern

    Notice how the site above is asking you directly for your Twitter password.  Bad!  What they should be doing is redirecting you to Twitter to authenticate in person, so to speak.  Like this:

    OAuth (The Right Way)

    Usually the intent of the website employing the Password Anti-Pattern is good – they’re not trying to be snoops (unless the site is actually an evil phishing site).   Rather, it’s likely they want to help you find your friends, import your photos, or in some way improve the experience of their application by connecting to others.

    But despite the good intent, disastrous problems can arise.  Say you want to let App XYZ import your Gmail contacts.  The app asks you for your Gmail password and you happily hand it over.  Now you’re entrusting them to store that password securely, and the sad truth is, they’re probably not.

    Now imagine you let 15 other apps do the same thing.  One of them is breached.  If you don’t change your Gmail password soon enough, they can lock you out.  What’s worse, most applications you use let you reset your password via email.  Thus we typically consider our email passwords keys to our castles.

    Even if you do manage to change your Gmail password in time, now you have 14 apps that you have to update to reflect this change.  It’s a nightmare!

    The good news is there’s a better way to grant one website safe, limited, and controlled access to another.  It’s called OAuth.  Think of it as a valet key.

    Stay tuned.  Next week we’ll talk more about OAuth – what it is, how it works, the pluses and the minuses.

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Rob Sobers
    Rob Sobers Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    a-user-always-finds-a-way:-the-federal-security-dilemma
    A User Always Finds a Way: The Federal Security Dilemma
    a-user-always-finds-a-way:-the-federal-security-dilemma
    Trevor Douglas
    June 11, 2025
    Our experts share how the road to data loss is usually paved with good intentions, and strategies for federal agencies to combat unintended mistakes.
    is-dspm-in-the-cloud-any-different?
    Is DSPM in the Cloud any different?
    is-dspm-in-the-cloud-any-different?
    Daniel Miller
    June 6, 2025
    Explore how DSPM evolves in the cloud—real-time visibility, automation, and compliance across dynamic, multicloud environments.
    when-ransomware-wreaks-havoc-on-hospitals
    When Ransomware Wreaks Havoc on Hospitals
    when-ransomware-wreaks-havoc-on-hospitals
    Megan Garza
    June 4, 2025
    Dayton Children's Hospital CIO J.D. Whitlock shares insights on cybersecurity in healthcare, including managing ransomware threats.
    why-data-security-starts-with-what-you-can’t-see
    Why Data Security Starts With What You Can’t See
    why-data-security-starts-with-what-you-can’t-see
    Jonathan Villa
    June 4, 2025
    Discover the most overlooked gaps in data security strategies and how to close them with automation, visibility, and unified protection across platforms.