Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Giving Away Your Passwords

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a...
Rob Sobers
1 min read
Published March 30, 2012
Last updated October 21, 2021

You might have seen the headlines from the past couple of weeks detailing how some employers were demanding employees hand over their Facebook passwords or else. Privacy violation?  Just a little.

Unfortunately, the House voted down an amendment that would prevent employers from making this ludicrous request.  After reading the rebuttal, I’m hopeful that this legislation will make its way through in some form or another.

Thankfully, humans asking for your social media passwords during job interviews is a rare practice.

On the other hand, websites asking for your account passwords isn’t.  We call this the Password Anti-Pattern.   When a third-party website asks you to input your username and password to another service, like Facebook or Twitter, run for the hills!

Password Anti-Pattern

Notice how the site above is asking you directly for your Twitter password.  Bad!  What they should be doing is redirecting you to Twitter to authenticate in person, so to speak.  Like this:

OAuth (The Right Way)

Usually the intent of the website employing the Password Anti-Pattern is good – they’re not trying to be snoops (unless the site is actually an evil phishing site).   Rather, it’s likely they want to help you find your friends, import your photos, or in some way improve the experience of their application by connecting to others.

But despite the good intent, disastrous problems can arise.  Say you want to let App XYZ import your Gmail contacts.  The app asks you for your Gmail password and you happily hand it over.  Now you’re entrusting them to store that password securely, and the sad truth is, they’re probably not.

Now imagine you let 15 other apps do the same thing.  One of them is breached.  If you don’t change your Gmail password soon enough, they can lock you out.  What’s worse, most applications you use let you reset your password via email.  Thus we typically consider our email passwords keys to our castles.

Even if you do manage to change your Gmail password in time, now you have 14 apps that you have to update to reflect this change.  It’s a nightmare!

The good news is there’s a better way to grant one website safe, limited, and controlled access to another.  It’s called OAuth.  Think of it as a valet key.

Stay tuned.  Next week we’ll talk more about OAuth – what it is, how it works, the pluses and the minuses.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

covid-19-threat-update-#6
COVID-19 Threat Update #6
Hoarding isn’t just happening with toilet paper: we’re seeing cases where remote employees have downloaded department-level folders. Chances are, these files will contain sensitive data like PII, PCI, HIPAA and...
are-these-10-cybersecurity-myths-putting-your-business-at-risk?
Are These 10 Cybersecurity Myths Putting Your Business at Risk?
From the myth of strong passwords to misconceptions surrounding which businesses hackers target and why, there are a number of cybersecurity misunderstandings that could be putting your business at risk of attack. Are you or your employees falling for them?
how-to-do-data-classification-at-scale
How to Do Data Classification at Scale
One of the important points we make in our recently published Information Entr opy report is that you can’t just decide you have intellectual property, issue NDAs to employees, and...
inside-the-world-of-insider-threats,-part-i:-motivation
Inside the World of Insider Threats, Part I: Motivation
As someone once said in a different context, never let a good crisis go to waste. While we still don’t have definitive proof, there’s good evidence that employees were in...